931b5459e9
remove code duplication
2016-02-01 20:19:34 +01:00
a3af0ce71d
tests++
2016-02-01 20:10:18 +01:00
bda49dd178
fix #113 , make Reader.peek() work on Python 3
2016-02-01 19:38:14 +01:00
b8e8c4d682
Simplified setting the source_address in the TCPClient constructor
2016-01-11 08:10:36 +01:00
4bb9f3d35b
Added getter/setter for TCPClient source_address
2016-01-08 18:04:47 +01:00
810c2f2414
Merge remote-tracking branch 'origin/hostname-validation'
2015-11-04 21:33:32 +01:00
9d36f8e43f
minor fixes
2015-11-01 18:20:00 +01:00
5af9df326a
fix certificate verification
...
This commit fixes netlib's optional (turned off by default)
certificate verification, which previously did not validate the
cert's host name. As it turns out, verifying the connection's host
name on an intercepting proxy is not really straightforward - if
we receive a connection in transparent mode without SNI, we have no
clue which hosts the client intends to connect to. There are two
basic approaches to solve this problem:
1. Exactly mirror the host names presented by the server in the
spoofed certificate presented to the client.
2. Require the client to send the TLS Server Name Indication
extension. While this does not work with older clients,
we can validate the hostname on the proxy.
Approach 1 is problematic in mitmproxy's use case, as we may want
to deliberately divert connections without the client's knowledge.
As a consequence, we opt for approach 2. While mitmproxy does now
require a SNI value to be sent by the client if certificate
verification is turned on, we retain our ability to present
certificates to the client which are accepted with a maximum
likelihood.
2015-11-01 18:15:30 +01:00
e9fe45f3f4
backport changes
2015-09-21 18:45:49 +02:00
daebd1bd27
python3++
2015-09-20 20:35:45 +02:00
0ad5cbc6bf
python3++
2015-09-20 19:56:45 +02:00
3f1ca556d1
python3++
2015-09-20 18:12:55 +02:00
dad9f06cb9
organize exceptions, improve content-length handling
2015-09-17 02:14:14 +02:00
11e7f476bd
wip
2015-09-15 19:12:15 +02:00
a38142d595
don't yield empty chunks
2015-09-11 01:17:39 +02:00
a5f7752cf1
add ssl_read_select
2015-09-10 11:30:41 +02:00
32b3c32138
add tcp.Address.__hash__
2015-09-08 21:31:27 +02:00
1265945f55
move sslversion mapping to netlib
2015-08-29 12:30:35 +02:00
982d8000c4
wip
2015-08-28 17:35:48 +02:00
de0ced73f8
fix error messages
2015-08-25 18:33:55 +02:00
9920de1e15
tcp._Connection: clean up code, fix inheritance
2015-08-19 16:06:33 +02:00
6810fba54e
add ssl peek polyfill
2015-08-19 16:05:42 +02:00
231656859f
TCPClient: more sophisticated address handling
2015-08-18 21:08:42 +02:00
62416daa4a
add Reader.peek()
2015-08-18 21:08:01 +02:00
c92dc1b868
re-add form_out
2015-08-18 21:07:38 +02:00
85cede47aa
allow direct ALPN callback method
2015-08-16 11:41:34 +02:00
c2832ef72b
fix mitmproxy/mitmproxy#705
2015-08-03 18:06:31 +02:00
1b26161382
add distinct error for cert verification issues
2015-07-24 16:47:28 +02:00
c17af4162b
Added a fix for pre-1.0 OpenSSL which wasn't correctly erring on failed certificate validation
2015-07-21 19:15:11 -07:00
155bdeb123
Fixing default CA which ought to be read as a pemfile and not a directory
2015-07-21 18:09:42 -07:00
0a2b25187f
Fixing how certifi is made the default ca_path to simplify calling logic.
2015-06-26 14:57:00 -07:00
db6576ca6f
Merge pull request #76 from kyle-m/master
...
Provide debugging information when upstream server certificate fails validation
2015-06-24 09:27:08 +12:00
d1452424be
Cleaning up upstream server verification. Adding storage of cerificate
...
verification errors on TCPClient object to enable warnings in downstream
projects.
2015-06-22 17:31:13 -07:00
7afe44ba4e
Updating TCPServer to allow tests (and potentially other use cases) to serve
...
certificate chains instead of only single certificates.
2015-06-22 16:48:09 -07:00
58118d607e
unify SSL version/method handling
2015-06-22 20:39:34 +02:00
69e71097f7
mark unused variables and arguments
2015-06-18 17:14:38 +02:00
4579c67150
Merge branch 'master' of https://github.com/kyle-m/netlib into kyle-m-master
2015-06-18 12:23:03 +12:00
6e301f37d0
Only set OP_NO_COMPRESSION by default if it exists in our version of OpenSSL
...
We'll need to start testing under both new and old versions of OpenSSL
somehow to catch these...
2015-06-18 12:18:22 +12:00
4152b14387
Merge pull request #71 from Kriechi/landscape
...
fix warnings and code smells
2015-06-18 12:07:20 +12:00
836b1eab97
fix warnings and code smells
...
use prospector to find them
2015-06-17 13:10:27 +02:00
c9c93af453
Adding certifi as default CA bundle.
2015-06-16 11:11:10 -07:00
abb37a3ef5
http2: improve test suite
2015-06-16 15:00:28 +02:00
79ff439930
add elliptic curve during TLS handshake
2015-06-16 15:00:28 +02:00
bb206323ab
Merge pull request #69 from kyle-m/master
...
Adding support for upstream certificate validation when using SSL/TLS…
2015-06-16 10:34:09 +12:00
fe764cde52
Adding support for upstream certificate validation when using SSL/TLS with an
...
instance of TCPClient.
2015-06-15 10:18:54 -07:00
0d137eac6f
simplify ALPN
2015-06-14 19:50:35 +02:00
9c6d237d02
add new TLS methods
2015-06-14 18:17:53 +02:00
5fab755a05
add more tests
2015-06-12 15:27:29 +02:00
eeaed93a83
improve ALPN integration
2015-06-11 15:37:17 +02:00
0595585974
fix coding style
2015-06-08 17:00:03 +02:00
Maximilian Hils