Merge pull request #661 from kyle-m/master

Enabling upstream server verification.
author: Aldo Cortesi <aldo@corte.si> 2015-06-30 10:51:46 +1200
committer: Aldo Cortesi <aldo@corte.si> 2015-06-30 10:51:46 +1200
commit: 5ad6773e78404fc10f694ebf2f2d72d28df617a3 (patch)
tree: a22397901680338545ee69d614ed418e40528475 /libmproxy/proxy/server.py
parent: aebad44d550d917489c802d0d51e1002f87b4e3b (diff)
parent: f0ad1f334ca57fdf57a3bfb190d314fc8d983475 (diff)
download: mitmproxy-5ad6773e78404fc10f694ebf2f2d72d28df617a3.tar.gz
mitmproxy-5ad6773e78404fc10f694ebf2f2d72d28df617a3.tar.bz2
mitmproxy-5ad6773e78404fc10f694ebf2f2d72d28df617a3.zip
1 files changed, 17 insertions, 0 deletions
diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py
index 051e8489..2711bd0e 100644
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@@ -235,8 +235,18 @@ class ConnectionHandler:
                     sni,
                     method=self.config.openssl_method_server,
                     options=self.config.openssl_options_server,
+                    verify_options=self.config.openssl_verification_mode_server,
+                    ca_path=self.config.openssl_trusted_cadir_server,
+                    ca_pemfile=self.config.openssl_trusted_ca_server,
                     cipher_list=self.config.ciphers_server,
                 )
+                ssl_cert_err = self.server_conn.ssl_verification_error
+                if ssl_cert_err is not None:
+                    self.log(
+                        "SSL verification failed for upstream server at depth %s with error: %s" % 
+                            (ssl_cert_err['depth'], ssl_cert_err['errno']),
+                        "error")
+                    self.log("Ignoring server verification error, continuing with connection", "error")
             except tcp.NetLibError as v:
                 e = ProxyError(502, repr(v))
                 # Workaround for https://github.com/mitmproxy/mitmproxy/issues/427
@@ -246,6 +256,13 @@ class ConnectionHandler:
                 if client and "handshake failure" in e.message:
                     self.server_conn.may_require_sni = e
                 else:
+                    ssl_cert_err = self.server_conn.ssl_verification_error
+                    if ssl_cert_err is not None:
+                        self.log(
+                            "SSL verification failed for upstream server at depth %s with error: %s" % 
+                                (ssl_cert_err['depth'], ssl_cert_err['errno']),
+                            "error")
+                        self.log("Aborting connection attempt", "error")
                     raise e
         if client:
             if self.client_conn.ssl_established:
author	Aldo Cortesi <aldo@corte.si>	2015-06-30 10:51:46 +1200
committer	Aldo Cortesi <aldo@corte.si>	2015-06-30 10:51:46 +1200
commit	5ad6773e78404fc10f694ebf2f2d72d28df617a3 (patch)
tree	a22397901680338545ee69d614ed418e40528475 /libmproxy/proxy/server.py
parent	aebad44d550d917489c802d0d51e1002f87b4e3b (diff)
parent	f0ad1f334ca57fdf57a3bfb190d314fc8d983475 (diff)
download	mitmproxy-5ad6773e78404fc10f694ebf2f2d72d28df617a3.tar.gz mitmproxy-5ad6773e78404fc10f694ebf2f2d72d28df617a3.tar.bz2 mitmproxy-5ad6773e78404fc10f694ebf2f2d72d28df617a3.zip