diff --git a/mitmproxy/cmdline.py b/mitmproxy/cmdline.py index b15e04278..f703b8ecb 100644 --- a/mitmproxy/cmdline.py +++ b/mitmproxy/cmdline.py @@ -7,7 +7,6 @@ import configargparse from mitmproxy import exceptions from mitmproxy import filt -from mitmproxy.proxy import config from mitmproxy import platform from netlib import human from netlib import tcp @@ -17,6 +16,18 @@ APP_HOST = "mitm.it" APP_PORT = 80 CA_DIR = "~/.mitmproxy" +# We manually need to specify this, otherwise OpenSSL may select a non-HTTP2 cipher by default. +# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.15&openssl=1.0.2&hsts=yes&profile=old +DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:" \ + "ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:" \ + "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:" \ + "ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:" \ + "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:" \ + "DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:" \ + "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:" \ + "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:" \ + "!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" + class ParseException(Exception): pass @@ -244,6 +255,8 @@ def get_common_options(args): body_size_limit = body_size_limit, cadir = args.cadir, certs = certs, + ciphers_client = args.ciphers_client, + ciphers_server = args.ciphers_server, clientcerts = args.clientcerts, ignore_hosts = args.ignore_hosts, listen_host = args.addr, @@ -487,7 +500,7 @@ def proxy_ssl_options(parser): 'as the first entry. Can be passed multiple times.') group.add_argument( "--ciphers-client", action="store", - type=str, dest="ciphers_client", default=config.DEFAULT_CLIENT_CIPHERS, + type=str, dest="ciphers_client", default=DEFAULT_CLIENT_CIPHERS, help="Set supported ciphers for client connections. (OpenSSL Syntax)" ) group.add_argument( diff --git a/mitmproxy/flow/options.py b/mitmproxy/flow/options.py index 78268b897..2586fec71 100644 --- a/mitmproxy/flow/options.py +++ b/mitmproxy/flow/options.py @@ -43,6 +43,8 @@ class Options(options.Options): body_size_limit=None, # type: Optional[int] cadir = cmdline.CA_DIR, # type: str certs = (), # type: Sequence[Tuple[str, str]] + ciphers_client = cmdline.DEFAULT_CLIENT_CIPHERS, # type: str + ciphers_server = None, # type: Optional[str] clientcerts = None, # type: Optional[str] ignore_hosts = (), # type: Sequence[str] listen_host = "", # type: str @@ -92,6 +94,8 @@ class Options(options.Options): self.body_size_limit = body_size_limit self.cadir = cadir self.certs = certs + self.ciphers_client = ciphers_client + self.ciphers_server = ciphers_server self.clientcerts = clientcerts self.ignore_hosts = ignore_hosts self.listen_host = listen_host diff --git a/mitmproxy/protocol/tls.py b/mitmproxy/protocol/tls.py index 6dc4f64bb..c44df299c 100644 --- a/mitmproxy/protocol/tls.py +++ b/mitmproxy/protocol/tls.py @@ -483,7 +483,7 @@ class TlsLayer(base.Layer): cert, key, method=self.config.openssl_method_client, options=self.config.openssl_options_client, - cipher_list=self.config.ciphers_client, + cipher_list=self.config.options.ciphers_client, dhparams=self.config.certstore.dhparams, chain_file=chain_file, alpn_select_callback=self.__alpn_select_callback, @@ -522,7 +522,7 @@ class TlsLayer(base.Layer): if alpn and b"h2" in alpn and not self.config.http2: alpn.remove(b"h2") - ciphers_server = self.config.ciphers_server + ciphers_server = self.config.options.ciphers_server if not ciphers_server: ciphers_server = [] for id in self._client_hello.cipher_suites: diff --git a/mitmproxy/proxy/config.py b/mitmproxy/proxy/config.py index 2bf044a0f..6e645b99b 100644 --- a/mitmproxy/proxy/config.py +++ b/mitmproxy/proxy/config.py @@ -17,18 +17,6 @@ from netlib.http import url CONF_BASENAME = "mitmproxy" -# We manually need to specify this, otherwise OpenSSL may select a non-HTTP2 cipher by default. -# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.15&openssl=1.0.2&hsts=yes&profile=old -DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:" \ - "ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:" \ - "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:" \ - "ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:" \ - "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:" \ - "DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:" \ - "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:" \ - "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:" \ - "!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" - class HostMatcher(object): @@ -89,13 +77,9 @@ class ProxyConfig: authenticator=None, http2=True, rawtcp=False, - ciphers_client=DEFAULT_CLIENT_CIPHERS, - ciphers_server=None, certs=tuple(), ): self.options = options - self.ciphers_client = ciphers_client - self.ciphers_server = ciphers_server self.no_upstream_cert = no_upstream_cert self.http2 = http2 @@ -209,6 +193,4 @@ def process_proxy_options(parser, options, args): http2=args.http2, rawtcp=args.rawtcp, authenticator=authenticator, - ciphers_client=args.ciphers_client, - ciphers_server=args.ciphers_server, )