From f0da667516a1736fe70c472663e42c9ec9445be9 Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Tue, 29 Mar 2022 10:27:53 +0200 Subject: [PATCH] tlsconfig: make sure to use the correct connection, fix #5109 (#5224) --- CHANGELOG.md | 8 ++++++-- mitmproxy/addons/tlsconfig.py | 9 +++++++-- mitmproxy/proxy/layers/tls.py | 3 ++- test/mitmproxy/proxy/layers/test_modes.py | 1 + test/mitmproxy/proxy/tutils.py | 6 +++++- 5 files changed, 21 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2c7557b0..eb5d8293c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,12 @@ ## Unreleased: mitmproxy next -* Add flatpak support to the browser addon (#5200, @pauloromeira) -* Add example addon to dump contents to files based on a filter expression (#5190, @redraw) +* Add flatpak support to the browser addon + ([#5200](https://github.com/mitmproxy/mitmproxy/issues/5200), @pauloromeira) +* Add example addon to dump contents to files based on a filter expression + ([#5190](https://github.com/mitmproxy/mitmproxy/issues/5190), @redraw) +* Fix a bug where the wrong SNI is sent to an upstream HTTPS proxy + ([#5109](https://github.com/mitmproxy/mitmproxy/issues/5109), @mhils) ## 19 March 2022: mitmproxy 8.0.0 diff --git a/mitmproxy/addons/tlsconfig.py b/mitmproxy/addons/tlsconfig.py index 3a376af04..893478747 100644 --- a/mitmproxy/addons/tlsconfig.py +++ b/mitmproxy/addons/tlsconfig.py @@ -118,7 +118,9 @@ class TlsConfig: if tls_start.ssl_conn is not None: return # a user addon has already provided the pyOpenSSL context. - client: connection.Client = tls_start.context.client + assert isinstance(tls_start.conn, connection.Client) + + client: connection.Client = tls_start.conn server: connection.Server = tls_start.context.server entry = self.get_cert(tls_start.context) @@ -168,8 +170,11 @@ class TlsConfig: if tls_start.ssl_conn is not None: return # a user addon has already provided the pyOpenSSL context. + assert isinstance(tls_start.conn, connection.Server) + client: connection.Client = tls_start.context.client - server: connection.Server = tls_start.context.server + # tls_start.conn may be different from tls_start.context.server, e.g. an upstream HTTPS proxy. + server: connection.Server = tls_start.conn assert server.address if ctx.options.ssl_insecure: diff --git a/mitmproxy/proxy/layers/tls.py b/mitmproxy/proxy/layers/tls.py index a24a99c1f..acb172243 100644 --- a/mitmproxy/proxy/layers/tls.py +++ b/mitmproxy/proxy/layers/tls.py @@ -351,7 +351,8 @@ class ServerTLSLayer(_TLSLayer): self.tunnel_state = tunnel.TunnelState.CLOSED else: yield from self.start_tls() - yield from self.receive_handshake_data(b"") + if self.tls: + yield from self.receive_handshake_data(b"") def event_to_child(self, event: events.Event) -> layer.CommandGenerator[None]: if self.wait_for_clienthello: diff --git a/test/mitmproxy/proxy/layers/test_modes.py b/test/mitmproxy/proxy/layers/test_modes.py index b04a1cf62..8a9f3c3d3 100644 --- a/test/mitmproxy/proxy/layers/test_modes.py +++ b/test/mitmproxy/proxy/layers/test_modes.py @@ -70,6 +70,7 @@ def test_upstream_https(tctx): << SendData(upstream, clienthello) ) assert upstream().address == ("example.mitmproxy.org", 8081) + assert upstream().sni == "example.mitmproxy.org" assert ( proxy2 >> DataReceived(tctx2.client, clienthello()) diff --git a/test/mitmproxy/proxy/tutils.py b/test/mitmproxy/proxy/tutils.py index 75172a14b..30ed65f4e 100644 --- a/test/mitmproxy/proxy/tutils.py +++ b/test/mitmproxy/proxy/tutils.py @@ -201,9 +201,13 @@ class Playbook: x.connection.timestamp_end = 1624544787 self.actual.append(x) + cmds: typing.List[commands.Command] = [] try: - cmds: typing.List[commands.Command] = list(self.layer.handle_event(x)) + # consume them one by one so that we can extend the log with all commands until traceback. + for cmd in self.layer.handle_event(x): + cmds.append(cmd) except Exception: + self.actual.extend(cmds) self.actual.append(_TracebackInPlaybook(traceback.format_exc())) break