ProxyConfig: ciphers_client and ciphers_server -> Options

mitmproxy/cmdline.py

@@ -7,7 +7,6 @@ import configargparse
 
 from mitmproxy import exceptions
 from mitmproxy import filt
-from mitmproxy.proxy import config
 from mitmproxy import platform
 from netlib import human
 from netlib import tcp
@@ -17,6 +16,18 @@ APP_HOST = "mitm.it"
 APP_PORT = 80
 CA_DIR = "~/.mitmproxy"
 
+# We manually need to specify this, otherwise OpenSSL may select a non-HTTP2 cipher by default.
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.15&openssl=1.0.2&hsts=yes&profile=old
+DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:" \
+    "ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:" \
+    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:" \
+    "ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:" \
+    "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:" \
+    "DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:" \
+    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:" \
+    "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:" \
+    "!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+
 
 class ParseException(Exception):
     pass
@@ -244,6 +255,8 @@ def get_common_options(args):
         body_size_limit = body_size_limit,
         cadir = args.cadir,
         certs = certs,
+        ciphers_client = args.ciphers_client,
+        ciphers_server = args.ciphers_server,
         clientcerts = args.clientcerts,
         ignore_hosts = args.ignore_hosts,
         listen_host = args.addr,
@@ -487,7 +500,7 @@ def proxy_ssl_options(parser):
              'as the first entry. Can be passed multiple times.')
     group.add_argument(
         "--ciphers-client", action="store",
-        type=str, dest="ciphers_client", default=config.DEFAULT_CLIENT_CIPHERS,
+        type=str, dest="ciphers_client", default=DEFAULT_CLIENT_CIPHERS,
         help="Set supported ciphers for client connections. (OpenSSL Syntax)"
     )
     group.add_argument(

mitmproxy/flow/options.py

@@ -43,6 +43,8 @@ class Options(options.Options):
             body_size_limit=None,  # type: Optional[int]
             cadir = cmdline.CA_DIR,  # type: str
             certs = (),  # type: Sequence[Tuple[str, str]]
+            ciphers_client = cmdline.DEFAULT_CLIENT_CIPHERS,   # type: str
+            ciphers_server = None,   # type: Optional[str]
             clientcerts = None,  # type: Optional[str]
             ignore_hosts = (),  # type: Sequence[str]
             listen_host = "",  # type: str
@@ -92,6 +94,8 @@ class Options(options.Options):
         self.body_size_limit = body_size_limit
         self.cadir = cadir
         self.certs = certs
+        self.ciphers_client = ciphers_client
+        self.ciphers_server = ciphers_server
         self.clientcerts = clientcerts
         self.ignore_hosts = ignore_hosts
         self.listen_host = listen_host

mitmproxy/protocol/tls.py

@@ -483,7 +483,7 @@ class TlsLayer(base.Layer):
                 cert, key,
                 method=self.config.openssl_method_client,
                 options=self.config.openssl_options_client,
-                cipher_list=self.config.ciphers_client,
+                cipher_list=self.config.options.ciphers_client,
                 dhparams=self.config.certstore.dhparams,
                 chain_file=chain_file,
                 alpn_select_callback=self.__alpn_select_callback,
@@ -522,7 +522,7 @@ class TlsLayer(base.Layer):
             if alpn and b"h2" in alpn and not self.config.http2:
                 alpn.remove(b"h2")
 
-            ciphers_server = self.config.ciphers_server
+            ciphers_server = self.config.options.ciphers_server
             if not ciphers_server:
                 ciphers_server = []
                 for id in self._client_hello.cipher_suites:

mitmproxy/proxy/config.py

@@ -17,18 +17,6 @@ from netlib.http import url
 
 CONF_BASENAME = "mitmproxy"
 
-# We manually need to specify this, otherwise OpenSSL may select a non-HTTP2 cipher by default.
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.15&openssl=1.0.2&hsts=yes&profile=old
-DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:" \
-    "ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:" \
-    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:" \
-    "ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:" \
-    "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:" \
-    "DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:" \
-    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:" \
-    "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:" \
-    "!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
-
 
 class HostMatcher(object):
 
@@ -89,13 +77,9 @@ class ProxyConfig:
             authenticator=None,
             http2=True,
             rawtcp=False,
-            ciphers_client=DEFAULT_CLIENT_CIPHERS,
-            ciphers_server=None,
             certs=tuple(),
     ):
         self.options = options
-        self.ciphers_client = ciphers_client
-        self.ciphers_server = ciphers_server
         self.no_upstream_cert = no_upstream_cert
 
         self.http2 = http2
@@ -209,6 +193,4 @@ def process_proxy_options(parser, options, args):
         http2=args.http2,
         rawtcp=args.rawtcp,
         authenticator=authenticator,
-        ciphers_client=args.ciphers_client,
-        ciphers_server=args.ciphers_server,
     )