Adding support for upstream certificate validation when using SSL/TLS with an

instance of TCPClient.
author: Kyle Morton <kylemorton@google.com> 2015-06-15 10:16:44 -0700
committer: Kyle Morton <kylemorton@google.com> 2015-06-15 10:18:54 -0700
commit: fe764cde5229046b8447062971c61fac745d2d58 (patch)
tree: 50a498bc782c53072616d290587937b6c003ab04 /test/test_tcp.py
parent: 0595585974dd889a10e05cade06f5534c85d7401 (diff)
download: mitmproxy-fe764cde5229046b8447062971c61fac745d2d58.tar.gz
mitmproxy-fe764cde5229046b8447062971c61fac745d2d58.tar.bz2
mitmproxy-fe764cde5229046b8447062971c61fac745d2d58.zip
1 files changed, 53 insertions, 0 deletions
diff --git a/test/test_tcp.py b/test/test_tcp.py
index d5506556..081c83a7 100644
--- a/test/test_tcp.py
+++ b/test/test_tcp.py
@@ -171,6 +171,59 @@ class TestSSLv3Only(test.ServerTestBase):
         tutils.raises(tcp.NetLibError, c.convert_to_ssl, sni="foo.com")
 
 
+class TestSSLUpstreamCertVerification(test.ServerTestBase):
+    handler = EchoHandler
+
+    ssl = dict(
+        cert=tutils.test_data.path("data/server.crt")
+    )
+
+    def test_mode_default(self):
+        c = tcp.TCPClient(("127.0.0.1", self.port))
+        c.connect()
+
+        c.convert_to_ssl()
+
+        testval = "echo!\n"
+        c.wfile.write(testval)
+        c.wfile.flush()
+        assert c.rfile.readline() == testval
+
+    def test_mode_none(self):
+        c = tcp.TCPClient(("127.0.0.1", self.port))
+        c.connect()
+
+        c.convert_to_ssl(verify_options=SSL.VERIFY_NONE)
+
+        testval = "echo!\n"
+        c.wfile.write(testval)
+        c.wfile.flush()
+        assert c.rfile.readline() == testval
+
+    def test_mode_strict_w_bad_cert(self):
+        c = tcp.TCPClient(("127.0.0.1", self.port))
+        c.connect()
+
+        tutils.raises(
+            tcp.NetLibError,
+            c.convert_to_ssl,
+            verify_options=SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
+            ca_pemfile=tutils.test_data.path("data/not-server.crt"))
+
+    def test_mode_strict_w_cert(self):
+        c = tcp.TCPClient(("127.0.0.1", self.port))
+        c.connect()
+
+        c.convert_to_ssl(
+            verify_options=SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
+            ca_pemfile=tutils.test_data.path("data/server.crt"))
+
+        testval = "echo!\n"
+        c.wfile.write(testval)
+        c.wfile.flush()
+        assert c.rfile.readline() == testval
+
+
 class TestSSLClientCert(test.ServerTestBase):
 
     class handler(tcp.BaseHandler):
author	Kyle Morton <kylemorton@google.com>	2015-06-15 10:16:44 -0700
committer	Kyle Morton <kylemorton@google.com>	2015-06-15 10:18:54 -0700
commit	fe764cde5229046b8447062971c61fac745d2d58 (patch)
tree	50a498bc782c53072616d290587937b6c003ab04 /test/test_tcp.py
parent	0595585974dd889a10e05cade06f5534c85d7401 (diff)
download	mitmproxy-fe764cde5229046b8447062971c61fac745d2d58.tar.gz mitmproxy-fe764cde5229046b8447062971c61fac745d2d58.tar.bz2 mitmproxy-fe764cde5229046b8447062971c61fac745d2d58.zip