5 files changed, 42 insertions, 25 deletions

diff --git a/mitmproxy/cmdline.py b/mitmproxy/cmdline.py
index cbff5ccd..3c63ec35 100644
--- a/mitmproxy/cmdline.py
+++ b/mitmproxy/cmdline.py
@@ -215,6 +215,8 @@ def get_common_options(args):
 
         listen_host = args.addr,
         listen_port = args.port,
+        cadir = args.cadir,
+        clientcerts = args.clientcerts,
     )
 
 
diff --git a/mitmproxy/flow/options.py b/mitmproxy/flow/options.py
index d8f87133..f05d2373 100644
--- a/mitmproxy/flow/options.py
+++ b/mitmproxy/flow/options.py
@@ -40,6 +40,7 @@ class Options(options.Options):
 
             # Proxy options
             cadir = cmdline.CA_DIR,  # type: str
+            clientcerts = None,  # type: Optional[str]
             listen_host = "",  # type: str
             listen_port = 8080,  # type: int
     ):
@@ -74,6 +75,7 @@ class Options(options.Options):
         self.replay_ignore_host = replay_ignore_host
 
         self.cadir = cadir
+        self.clientcerts = clientcerts
         self.listen_host = listen_host
         self.listen_port = listen_port
 
diff --git a/mitmproxy/main.py b/mitmproxy/main.py
index 9b62b63d..a245c979 100644
--- a/mitmproxy/main.py
+++ b/mitmproxy/main.py
@@ -73,10 +73,9 @@ def mitmproxy(args=None):  # pragma: no cover
     console_options.limit = args.limit
     console_options.no_mouse = args.no_mouse
 
-    proxy_config = process_options(parser, console_options, args)
-    server = get_server(console_options.no_server, proxy_config)
-
     try:
+        proxy_config = process_options(parser, console_options, args)
+        server = get_server(console_options.no_server, proxy_config)
         m = console.master.ConsoleMaster(server, console_options)
     except exceptions.OptionsError as e:
         print("mitmproxy: %s" % e, file=sys.stderr)
@@ -102,10 +101,9 @@ def mitmdump(args=None):  # pragma: no cover
     dump_options.keepserving = args.keepserving
     dump_options.filtstr = " ".join(args.args) if args.args else None
 
-    proxy_config = process_options(parser, dump_options, args)
-    server = get_server(dump_options.no_server, proxy_config)
-
     try:
+        proxy_config = process_options(parser, dump_options, args)
+        server = get_server(dump_options.no_server, proxy_config)
         master = dump.DumpMaster(server, dump_options)
 
         def cleankill(*args, **kwargs):
@@ -141,10 +139,9 @@ def mitmweb(args=None):  # pragma: no cover
     web_options.whtpasswd = args.whtpasswd
     web_options.process_web_options(parser)
 
-    proxy_config = process_options(parser, web_options, args)
-    server = get_server(web_options.no_server, proxy_config)
-
     try:
+        proxy_config = process_options(parser, web_options, args)
+        server = get_server(web_options.no_server, proxy_config)
         m = web.master.WebMaster(server, web_options)
     except exceptions.OptionsError as e:
         print("mitmweb: %s" % e, file=sys.stderr)
diff --git a/mitmproxy/proxy/config.py b/mitmproxy/proxy/config.py
index 942798f3..0a0188a5 100644
--- a/mitmproxy/proxy/config.py
+++ b/mitmproxy/proxy/config.py
@@ -8,6 +8,7 @@ import six
 from OpenSSL import SSL
 
 from mitmproxy import platform
+from mitmproxy import exceptions
 from netlib import certutils
 from netlib import human
 from netlib import tcp
@@ -59,7 +60,6 @@ class ProxyConfig:
     def __init__(
             self,
             options,
-            clientcerts=None,
             no_upstream_cert=False,
             body_size_limit=None,
             mode="regular",
@@ -83,7 +83,6 @@ class ProxyConfig:
         self.options = options
         self.ciphers_client = ciphers_client
         self.ciphers_server = ciphers_server
-        self.clientcerts = clientcerts
         self.no_upstream_cert = no_upstream_cert
         self.body_size_limit = body_size_limit
         self.mode = mode
@@ -99,12 +98,6 @@ class ProxyConfig:
         self.http2 = http2
         self.rawtcp = rawtcp
         self.authenticator = authenticator
-        self.certstore = certutils.CertStore.from_store(
-            os.path.expanduser(options.cadir),
-            CONF_BASENAME
-        )
-        for spec, cert in certs:
-            self.certstore.add_cert_file(spec, cert)
 
         self.openssl_method_client, self.openssl_options_client = \
             tcp.sslversion_choices[ssl_version_client]
@@ -119,6 +112,34 @@ class ProxyConfig:
         self.openssl_trusted_ca_server = ssl_verify_upstream_trusted_ca
         self.add_upstream_certs_to_client_chain = add_upstream_certs_to_client_chain
 
+        self.certstore = None
+        self.clientcerts = None
+        self.config(options)
+        options.changed.connect(self)
+
+        for spec, cert in certs:
+            self.certstore.add_cert_file(spec, cert)
+
+    def config(self, options):
+        certstore_path = os.path.expanduser(options.cadir)
+        if not os.path.exists(certstore_path):
+            raise exceptions.OptionsError(
+                "Certificate Authority directory does not exist: %s" %
+                options.cadir
+            )
+        self.certstore = certutils.CertStore.from_store(
+            os.path.expanduser(options.cadir),
+            CONF_BASENAME
+        )
+        if options.clientcerts:
+            clientcerts = os.path.expanduser(options.clientcerts)
+            if not os.path.exists(clientcerts):
+                raise exceptions.OptionsError(
+                    "Client certificate path does not exist: %s" %
+                    options.clientcerts
+                )
+            self.clientcerts = clientcerts
+
 
 def process_proxy_options(parser, options, args):
     body_size_limit = args.body_size_limit
@@ -163,12 +184,6 @@ def process_proxy_options(parser, options, args):
             "then extra upstream certificates are not available for inclusion "
             "to the client chain."
         )
-    if args.clientcerts:
-        args.clientcerts = os.path.expanduser(args.clientcerts)
-        if not os.path.exists(args.clientcerts):
-            return parser.error(
-                "Client certificate path does not exist: %s" % args.clientcerts
-            )
     if args.auth_nonanonymous or args.auth_singleuser or args.auth_htpasswd:
 
         if args.transparent_proxy:
@@ -211,7 +226,6 @@ def process_proxy_options(parser, options, args):
 
     return ProxyConfig(
         options,
-        clientcerts=args.clientcerts,
         no_upstream_cert=args.no_upstream_cert,
         body_size_limit=body_size_limit,
         mode=mode,
diff --git a/test/mitmproxy/test_proxy.py b/test/mitmproxy/test_proxy.py
index c87e1ad4..70ddfd40 100644
--- a/test/mitmproxy/test_proxy.py
+++ b/test/mitmproxy/test_proxy.py
@@ -60,7 +60,9 @@ class TestProcessProxyOptions:
         parser = tutils.MockParser()
         cmdline.common_options(parser)
         args = parser.parse_args(args=args)
-        return parser, process_proxy_options(parser, options.Options(), args)
+        opts = cmdline.get_common_options(args)
+        pconf = process_proxy_options(parser, options.Options(**opts), args)
+        return parser, pconf
 
     def assert_err(self, err, *args):
         tutils.raises(err, self.p, *args)