diff options
Diffstat (limited to 'libmproxy/proxy')
| -rw-r--r-- | libmproxy/proxy/config.py | 28 | ||||
| -rw-r--r-- | libmproxy/proxy/server.py | 32 |
2 files changed, 36 insertions, 24 deletions
diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index cf382dc7..ed0787da 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -13,7 +13,7 @@ class ProxyConfig: def __init__(self, confdir=CONF_DIR, clientcerts=None, no_upstream_cert=False, body_size_limit=None, get_upstream_server=None, http_form_in="absolute", http_form_out="relative", authenticator=None, - ciphers=None, certs=None + ciphers=None, certs=None, certforward = False ): self.ciphers = ciphers self.clientcerts = clientcerts @@ -25,6 +25,7 @@ class ProxyConfig: self.authenticator = authenticator self.confdir = os.path.expanduser(confdir) self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME) + self.certforward = certforward def process_proxy_options(parser, options): @@ -93,15 +94,17 @@ def process_proxy_options(parser, options): certs.append(parts) return ProxyConfig( - clientcerts=options.clientcerts, - body_size_limit=body_size_limit, - no_upstream_cert=options.no_upstream_cert, - get_upstream_server=get_upstream_server, - http_form_in=http_form_in, - http_form_out=http_form_out, - authenticator=authenticator, - ciphers=options.ciphers, + clientcerts = options.clientcerts, + body_size_limit = body_size_limit, + no_upstream_cert = options.no_upstream_cert, + get_upstream_server = get_upstream_server, + confdir = options.confdir, + http_form_in = http_form_in, + http_form_out = http_form_out, + authenticator = authenticator, + ciphers = options.ciphers, certs = certs, + certforward = options.certforward, ) @@ -124,4 +127,9 @@ def ssl_option_group(parser): "--ciphers", action="store", type=str, dest="ciphers", default=None, help="SSL cipher specification." - )
\ No newline at end of file + ) + group.add_argument( + "--cert-forward", action="store_true", + dest="certforward", default=False, + help="Simply forward SSL certificates from upstream." + ) diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py index dc502e1c..e308d081 100644 --- a/libmproxy/proxy/server.py +++ b/libmproxy/proxy/server.py @@ -190,7 +190,8 @@ class ConnectionHandler: self.client_conn.convert_to_ssl( cert, key, handle_sni = self.handle_sni, - cipher_list = self.config.ciphers + cipher_list = self.config.ciphers, + dhparams = self.config.certstore.dhparams ) def server_reconnect(self, no_ssl=False): @@ -219,18 +220,21 @@ class ConnectionHandler: self.channel.tell("log", Log(msg)) def find_cert(self): - host = self.server_conn.address.host - sans = [] - if not self.config.no_upstream_cert or not self.server_conn.ssl_established: - upstream_cert = self.server_conn.cert - if upstream_cert.cn: - host = upstream_cert.cn.decode("utf8").encode("idna") - sans = upstream_cert.altnames - - ret = self.config.certstore.get_cert(host, sans) - if not ret: - raise ProxyError(502, "Unable to generate dummy cert.") - return ret + if self.config.certforward and self.server_conn.ssl_established: + return self.server_conn.cert, self.config.certstore.gen_pkey(self.server_conn.cert) + else: + host = self.server_conn.address.host + sans = [] + if not self.config.no_upstream_cert or not self.server_conn.ssl_established: + upstream_cert = self.server_conn.cert + if upstream_cert.cn: + host = upstream_cert.cn.decode("utf8").encode("idna") + sans = upstream_cert.altnames + + ret = self.config.certstore.get_cert(host, sans) + if not ret: + raise ProxyError(502, "Unable to generate dummy cert.") + return ret def handle_sni(self, connection): """ @@ -253,4 +257,4 @@ class ConnectionHandler: # An unhandled exception in this method will core dump PyOpenSSL, so # make dang sure it doesn't happen. except Exception, e: # pragma: no cover - pass
\ No newline at end of file + pass |