diff options
| author | Kyle Morton <kylemorton@google.com> | 2015-06-29 10:32:57 -0700 |
|---|---|---|
| committer | Kyle Morton <kylemorton@google.com> | 2015-06-29 11:00:20 -0700 |
| commit | f0ad1f334ca57fdf57a3bfb190d314fc8d983475 (patch) | |
| tree | a22397901680338545ee69d614ed418e40528475 /libmproxy | |
| parent | aebad44d550d917489c802d0d51e1002f87b4e3b (diff) | |
| download | mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.tar.gz mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.tar.bz2 mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.zip | |
Enabling upstream server verification. Added flags --verify_upstream_cert,
--upstream-trusted-cadir, and --upstream-trusted-ca.
Diffstat (limited to 'libmproxy')
| -rw-r--r-- | libmproxy/proxy/config.py | 32 | ||||
| -rw-r--r-- | libmproxy/proxy/server.py | 17 |
2 files changed, 48 insertions, 1 deletions
diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index a7a719cf..c5306b4a 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -52,6 +52,9 @@ class ProxyConfig: ssl_version_server=tcp.SSL_DEFAULT_METHOD, ssl_ports=TRANSPARENT_SSL_PORTS, spoofed_ssl_port=None, + ssl_verify_upstream_cert=False, + ssl_upstream_trusted_cadir=None, + ssl_upstream_trusted_ca=None ): self.host = host self.port = port @@ -100,6 +103,13 @@ class ProxyConfig: self.openssl_method_server = ssl_version_server else: self.openssl_method_server = tcp.SSL_VERSIONS[ssl_version_server] + + if ssl_verify_upstream_cert: + self.openssl_verification_mode_server = SSL.VERIFY_PEER + else: + self.openssl_verification_mode_server = SSL.VERIFY_NONE + self.openssl_trusted_cadir_server = ssl_upstream_trusted_cadir + self.openssl_trusted_ca_server = ssl_upstream_trusted_ca self.openssl_options_client = tcp.SSL_DEFAULT_OPTIONS self.openssl_options_server = tcp.SSL_DEFAULT_OPTIONS @@ -203,7 +213,10 @@ def process_proxy_options(parser, options): ssl_version_client=options.ssl_version_client, ssl_version_server=options.ssl_version_server, ssl_ports=ssl_ports, - spoofed_ssl_port=spoofed_ssl_port + spoofed_ssl_port=spoofed_ssl_port, + ssl_verify_upstream_cert=options.ssl_verify_upstream_cert, + ssl_upstream_trusted_cadir=options.ssl_upstream_trusted_cadir, + ssl_upstream_trusted_ca=options.ssl_upstream_trusted_ca ) @@ -243,6 +256,23 @@ def ssl_option_group(parser): help="Don't connect to upstream server to look up certificate details." ) group.add_argument( + "--verify-upstream-cert", default=False, + action="store_true", dest="ssl_verify_upstream_cert", + help="Verify upstream server SSL/TLS certificates and fail if invalid " + "or not present." + ) + group.add_argument( + "--upstream-trusted-cadir", default=None, action="store", + dest="ssl_upstream_trusted_cadir", + help="Path to a directory of trusted CA certificates for upstream " + "server verification prepared using the c_rehash tool." + ) + group.add_argument( + "--upstream-trusted-ca", default=None, action="store", + dest="ssl_upstream_trusted_ca", + help="Path to a PEM formatted trusted CA certificate." + ) + group.add_argument( "--ssl-port", action="append", type=int, diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py index 051e8489..2711bd0e 100644 --- a/libmproxy/proxy/server.py +++ b/libmproxy/proxy/server.py @@ -235,8 +235,18 @@ class ConnectionHandler: sni, method=self.config.openssl_method_server, options=self.config.openssl_options_server, + verify_options=self.config.openssl_verification_mode_server, + ca_path=self.config.openssl_trusted_cadir_server, + ca_pemfile=self.config.openssl_trusted_ca_server, cipher_list=self.config.ciphers_server, ) + ssl_cert_err = self.server_conn.ssl_verification_error + if ssl_cert_err is not None: + self.log( + "SSL verification failed for upstream server at depth %s with error: %s" % + (ssl_cert_err['depth'], ssl_cert_err['errno']), + "error") + self.log("Ignoring server verification error, continuing with connection", "error") except tcp.NetLibError as v: e = ProxyError(502, repr(v)) # Workaround for https://github.com/mitmproxy/mitmproxy/issues/427 @@ -246,6 +256,13 @@ class ConnectionHandler: if client and "handshake failure" in e.message: self.server_conn.may_require_sni = e else: + ssl_cert_err = self.server_conn.ssl_verification_error + if ssl_cert_err is not None: + self.log( + "SSL verification failed for upstream server at depth %s with error: %s" % + (ssl_cert_err['depth'], ssl_cert_err['errno']), + "error") + self.log("Aborting connection attempt", "error") raise e if client: if self.client_conn.ssl_established: |