New option: Add server certs to client chain

If enabled, append all server certificates to the certificate chain served to the client, as extras. Can be used to bypass certain certificate pinning impementations.
author: ikoz <john@kozyrakis.gr> 2016-03-02 15:23:33 +0000
committer: ikoz <john@kozyrakis.gr> 2016-03-08 18:13:36 +0000
commit: 0169271bf993aa16b4d5627eda8523552661d7ef (patch)
tree: fa176d5c0f94b4b380364f1cf493b06b4ea1f7de /netlib/tcp.py
parent: ea3742c3938248c273be159d15ac49b4d2884ed8 (diff)
download: mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.tar.gz
mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.tar.bz2
mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/netlib/tcp.py b/netlib/tcp.py
index 6423888a..68a71270 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -584,6 +584,7 @@ class TCPClient(_Connection):
         self.address = address
         self.source_address = source_address
         self.cert = None
+        self.server_certs = []
         self.ssl_verification_error = None
         self.sni = None
 
@@ -668,6 +669,10 @@ class TCPClient(_Connection):
 
         self.cert = certutils.SSLCert(self.connection.get_peer_certificate())
 
+        # Keep all server certificates in a list
+        for i in self.connection.get_peer_cert_chain():
+            self.server_certs.append(certutils.SSLCert(i))
+
         # Validate TLS Hostname
         try:
             crt = dict(
@@ -734,6 +739,7 @@ class BaseHandler(_Connection):
                            request_client_cert=None,
                            chain_file=None,
                            dhparams=None,
+                           extra_chain_certs=None,
                            **sslctx_kwargs):
         """
             cert: A certutils.SSLCert object or the path to a certificate
@@ -769,6 +775,10 @@ class BaseHandler(_Connection):
         else:
             context.use_certificate_chain_file(cert)
 
+        if extra_chain_certs:
+            for i in extra_chain_certs:
+                context.add_extra_chain_cert(i.x509)
+
         if handle_sni:
             # SNI callback happens during do_handshake()
             context.set_tlsext_servername_callback(handle_sni)
author	ikoz <john@kozyrakis.gr>	2016-03-02 15:23:33 +0000
committer	ikoz <john@kozyrakis.gr>	2016-03-08 18:13:36 +0000
commit	0169271bf993aa16b4d5627eda8523552661d7ef (patch)
tree	fa176d5c0f94b4b380364f1cf493b06b4ea1f7de /netlib/tcp.py
parent	ea3742c3938248c273be159d15ac49b4d2884ed8 (diff)
download	mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.tar.gz mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.tar.bz2 mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.zip