diff options
| author | Maximilian Hils <git@maximilianhils.com> | 2014-10-21 15:08:39 +0200 |
|---|---|---|
| committer | Maximilian Hils <git@maximilianhils.com> | 2014-10-21 15:08:39 +0200 |
| commit | 6cef6fbfec92f1154b6a5b986548478137598975 (patch) | |
| tree | 753cc9c793bde27c58806a0993788d440307e802 /libmproxy | |
| parent | 37cc6ae0bbb32e528435f821469d36055574a810 (diff) | |
| download | mitmproxy-6cef6fbfec92f1154b6a5b986548478137598975.tar.gz mitmproxy-6cef6fbfec92f1154b6a5b986548478137598975.tar.bz2 mitmproxy-6cef6fbfec92f1154b6a5b986548478137598975.zip | |
tweak SSL detection heuristics
Diffstat (limited to 'libmproxy')
| -rw-r--r-- | libmproxy/protocol/http.py | 10 | ||||
| -rw-r--r-- | libmproxy/proxy/config.py | 9 |
2 files changed, 17 insertions, 2 deletions
diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py index 33d860ca..adb743a2 100644 --- a/libmproxy/protocol/http.py +++ b/libmproxy/protocol/http.py @@ -1269,7 +1269,15 @@ class HTTPHandler(ProtocolHandler): self.expected_form_out = "relative" self.skip_authentication = True - if address.port in self.c.config.ssl_ports: + # In practice, nobody issues a CONNECT request to send unencrypted HTTP requests afterwards. + # If we don't delegate to TCP mode, we should always negotiate a SSL connection. + should_establish_ssl = ( + address.port in self.c.config.ssl_ports + or + not self.c.config.check_tcp(address) + ) + + if should_establish_ssl: self.c.log("Received CONNECT request to SSL port. Upgrading to SSL...", "debug") self.c.establish_ssl(server=True, client=True) self.c.log("Upgrade to SSL completed.", "debug") diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index 948decc1..fe2b45f4 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -127,6 +127,12 @@ def process_proxy_options(parser, options): parser.error("Certificate file does not exist: %s" % parts[1]) certs.append(parts) + ssl_ports = options.ssl_ports + if options.ssl_ports != TRANSPARENT_SSL_PORTS: + # arparse appends to default value by default, strip that off. + # see http://bugs.python.org/issue16399 + ssl_ports = ssl_ports[len(TRANSPARENT_SSL_PORTS):] + return ProxyConfig( host=options.addr, port=options.port, @@ -144,6 +150,7 @@ def process_proxy_options(parser, options): ciphers=options.ciphers, certs=certs, certforward=options.certforward, + ssl_ports=ssl_ports ) @@ -180,7 +187,7 @@ def ssl_option_group(parser): help="Don't connect to upstream server to look up certificate details." ) group.add_argument( - "--ssl-port", action="append", type=int, dest="ssl_ports", default=TRANSPARENT_SSL_PORTS, + "--ssl-port", action="append", type=int, dest="ssl_ports", default=list(TRANSPARENT_SSL_PORTS), metavar="PORT", help="Can be passed multiple times. Specify destination ports which are assumed to be SSL. " "Defaults to %s." % str(TRANSPARENT_SSL_PORTS) |