diff options
| author | David Weinstein <dweinst@insitusec.com> | 2016-01-26 13:09:22 -0500 |
|---|---|---|
| committer | David Weinstein <dweinst@insitusec.com> | 2016-01-26 13:09:22 -0500 |
| commit | 4be8d148b13ae15d6b0f287935d3dc53a40cdf28 (patch) | |
| tree | 541a225b6dc6dcead0b70a7cf4d65b5aafef0154 | |
| parent | 8f8c2efccd52f9791cc5990f9863cdd02617bc0d (diff) | |
| download | mitmproxy-4be8d148b13ae15d6b0f287935d3dc53a40cdf28.tar.gz mitmproxy-4be8d148b13ae15d6b0f287935d3dc53a40cdf28.tar.bz2 mitmproxy-4be8d148b13ae15d6b0f287935d3dc53a40cdf28.zip | |
Add SNI ignore docs and have code match it
| -rw-r--r-- | docs/features/passthrough.rst | 4 | ||||
| -rw-r--r-- | libmproxy/proxy/root_context.py | 18 |
2 files changed, 11 insertions, 11 deletions
diff --git a/docs/features/passthrough.rst b/docs/features/passthrough.rst index 80521393..b7b5df84 100644 --- a/docs/features/passthrough.rst +++ b/docs/features/passthrough.rst @@ -31,9 +31,9 @@ mitmproxy allows you to specify a regex which is matched against a ``host:port`` There are two important quirks to consider: -- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the +- **In transparent mode, the ignore pattern is matched against the IP and ClientHello SNI host.** While we usually infer the hostname from the Host header if the :option:`--host` argument is passed to mitmproxy, we do not - have access to this information before the SSL handshake. + have access to this information before the SSL handshake. If the client uses SNI however, then we treat the SNI host as an ignore target. - In regular mode, explicit HTTP requests are never ignored. [#explicithttp]_ The ignore pattern is applied on CONNECT requests, which initiate HTTPS or clear-text WebSocket connections. diff --git a/libmproxy/proxy/root_context.py b/libmproxy/proxy/root_context.py index 8a3372e0..d70fc299 100644 --- a/libmproxy/proxy/root_context.py +++ b/libmproxy/proxy/root_context.py @@ -55,15 +55,15 @@ class RootContext(object): # 1. check for --ignore if self.config.check_ignore: - address = top_layer.server_conn.address - if client_tls: - try: - client_hello = TlsClientHello.from_client_conn(self.client_conn) - except TlsProtocolException as e: - self.log("Cannot parse Client Hello: %s" % repr(e), "error") - else: - address = (client_hello.client_sni, 443) - if self.config.check_ignore(address): + ignore = self.config.check_ignore(top_layer.server_conn.address) + if not ignore and client_tls: + try: + client_hello = TlsClientHello.from_client_conn(self.client_conn) + except TlsProtocolException as e: + self.log("Cannot parse Client Hello: %s" % repr(e), "error") + else: + ignore = self.config.check_ignore((client_hello.client_sni, 443)) + if ignore: return RawTCPLayer(top_layer, logging=False) # 2. Always insert a TLS layer, even if there's neither client nor server tls. |