diff options
author | ikoz <john@kozyrakis.gr> | 2016-03-02 15:23:33 +0000 |
---|---|---|
committer | ikoz <john@kozyrakis.gr> | 2016-03-08 18:13:36 +0000 |
commit | 0169271bf993aa16b4d5627eda8523552661d7ef (patch) | |
tree | fa176d5c0f94b4b380364f1cf493b06b4ea1f7de /netlib | |
parent | ea3742c3938248c273be159d15ac49b4d2884ed8 (diff) | |
download | mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.tar.gz mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.tar.bz2 mitmproxy-0169271bf993aa16b4d5627eda8523552661d7ef.zip |
New option: Add server certs to client chain
If enabled, append all server certificates to the certificate chain
served to the client, as extras. Can be used to bypass certain
certificate pinning impementations.
Diffstat (limited to 'netlib')
-rw-r--r-- | netlib/tcp.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/netlib/tcp.py b/netlib/tcp.py index 6423888a..68a71270 100644 --- a/netlib/tcp.py +++ b/netlib/tcp.py @@ -584,6 +584,7 @@ class TCPClient(_Connection): self.address = address self.source_address = source_address self.cert = None + self.server_certs = [] self.ssl_verification_error = None self.sni = None @@ -668,6 +669,10 @@ class TCPClient(_Connection): self.cert = certutils.SSLCert(self.connection.get_peer_certificate()) + # Keep all server certificates in a list + for i in self.connection.get_peer_cert_chain(): + self.server_certs.append(certutils.SSLCert(i)) + # Validate TLS Hostname try: crt = dict( @@ -734,6 +739,7 @@ class BaseHandler(_Connection): request_client_cert=None, chain_file=None, dhparams=None, + extra_chain_certs=None, **sslctx_kwargs): """ cert: A certutils.SSLCert object or the path to a certificate @@ -769,6 +775,10 @@ class BaseHandler(_Connection): else: context.use_certificate_chain_file(cert) + if extra_chain_certs: + for i in extra_chain_certs: + context.add_extra_chain_cert(i.x509) + if handle_sni: # SNI callback happens during do_handshake() context.set_tlsext_servername_callback(handle_sni) |