From 0a3839375de80a032f244c62ee254199750e5f91 Mon Sep 17 00:00:00 2001 From: Aldo Cortesi Date: Tue, 19 Jul 2016 11:41:04 +1200 Subject: ProxyConfig: various SSL options to Options --- mitmproxy/cmdline.py | 6 ++++++ mitmproxy/flow/options.py | 13 ++++++++++++- mitmproxy/options.py | 2 +- mitmproxy/protocol/tls.py | 4 ++-- mitmproxy/proxy/config.py | 29 +++++++---------------------- test/mitmproxy/tservers.py | 7 +++++-- 6 files changed, 33 insertions(+), 28 deletions(-) diff --git a/mitmproxy/cmdline.py b/mitmproxy/cmdline.py index b68de635..73508871 100644 --- a/mitmproxy/cmdline.py +++ b/mitmproxy/cmdline.py @@ -249,6 +249,12 @@ def get_common_options(args): mode = mode, upstream_server = upstream_server, upstream_auth = args.upstream_auth, + ssl_version_client = args.ssl_version_client, + ssl_version_server = args.ssl_version_server, + ssl_verify_upstream_cert = args.ssl_verify_upstream_cert, + ssl_verify_upstream_trusted_cadir = args.ssl_verify_upstream_trusted_cadir, + ssl_verify_upstream_trusted_ca = args.ssl_verify_upstream_trusted_ca, + add_upstream_certs_to_client_chain = args.add_upstream_certs_to_client_chain, ) diff --git a/mitmproxy/flow/options.py b/mitmproxy/flow/options.py index 7875e9bf..31150b55 100644 --- a/mitmproxy/flow/options.py +++ b/mitmproxy/flow/options.py @@ -48,6 +48,12 @@ class Options(options.Options): mode = "regular", # type: str upstream_server = "", # type: str upstream_auth = "", # type: str + ssl_version_client="secure", # type: str + ssl_version_server="secure", # type: str + ssl_verify_upstream_cert=False, # type: bool + ssl_verify_upstream_trusted_cadir=None, # type: str + ssl_verify_upstream_trusted_ca=None, # type: str + add_upstream_certs_to_client_chain=False, # type: bool ): # We could replace all assignments with clever metaprogramming, # but type hints are a much more valueable asset. @@ -89,5 +95,10 @@ class Options(options.Options): self.mode = mode self.upstream_server = upstream_server self.upstream_auth = upstream_auth - + self.ssl_version_client = ssl_version_client + self.ssl_version_server = ssl_version_server + self.ssl_verify_upstream_cert = ssl_verify_upstream_cert + self.ssl_verify_upstream_trusted_cadir = ssl_verify_upstream_trusted_cadir + self.ssl_verify_upstream_trusted_ca = ssl_verify_upstream_trusted_ca + self.add_upstream_certs_to_client_chain = add_upstream_certs_to_client_chain super(Options, self).__init__() diff --git a/mitmproxy/options.py b/mitmproxy/options.py index 04353dca..94e5d573 100644 --- a/mitmproxy/options.py +++ b/mitmproxy/options.py @@ -52,7 +52,7 @@ class Options(object): if attr in self._opts: return self._opts[attr] else: - raise AttributeError() + raise AttributeError("No such option: %s" % attr) def __setattr__(self, attr, value): if not self._initialized: diff --git a/mitmproxy/protocol/tls.py b/mitmproxy/protocol/tls.py index 8ef34493..7b8b8301 100644 --- a/mitmproxy/protocol/tls.py +++ b/mitmproxy/protocol/tls.py @@ -368,7 +368,7 @@ class TlsLayer(base.Layer): self._server_tls and not self.config.no_upstream_cert and ( - self.config.add_upstream_certs_to_client_chain or + self.config.options.add_upstream_certs_to_client_chain or self._client_hello.alpn_protocols or not self._client_hello.sni ) @@ -473,7 +473,7 @@ class TlsLayer(base.Layer): self.log("Establish TLS with client", "debug") cert, key, chain_file = self._find_cert() - if self.config.add_upstream_certs_to_client_chain: + if self.config.options.add_upstream_certs_to_client_chain: extra_certs = self.server_conn.server_certs else: extra_certs = None diff --git a/mitmproxy/proxy/config.py b/mitmproxy/proxy/config.py index 7f155528..201f7051 100644 --- a/mitmproxy/proxy/config.py +++ b/mitmproxy/proxy/config.py @@ -86,8 +86,6 @@ class ProxyConfig: self, options, no_upstream_cert=False, - upstream_server=None, - upstream_auth=None, authenticator=None, ignore_hosts=tuple(), tcp_hosts=tuple(), @@ -96,12 +94,6 @@ class ProxyConfig: ciphers_client=DEFAULT_CLIENT_CIPHERS, ciphers_server=None, certs=tuple(), - ssl_version_client="secure", - ssl_version_server="secure", - ssl_verify_upstream_cert=False, - ssl_verify_upstream_trusted_cadir=None, - ssl_verify_upstream_trusted_ca=None, - add_upstream_certs_to_client_chain=False, ): self.options = options self.ciphers_client = ciphers_client @@ -115,17 +107,14 @@ class ProxyConfig: self.authenticator = authenticator self.openssl_method_client, self.openssl_options_client = \ - tcp.sslversion_choices[ssl_version_client] + tcp.sslversion_choices[options.ssl_version_client] self.openssl_method_server, self.openssl_options_server = \ - tcp.sslversion_choices[ssl_version_server] + tcp.sslversion_choices[options.ssl_version_server] - if ssl_verify_upstream_cert: + if options.ssl_verify_upstream_cert: self.openssl_verification_mode_server = SSL.VERIFY_PEER else: self.openssl_verification_mode_server = SSL.VERIFY_NONE - self.openssl_trusted_cadir_server = ssl_verify_upstream_trusted_cadir - self.openssl_trusted_ca_server = ssl_verify_upstream_trusted_ca - self.add_upstream_certs_to_client_chain = add_upstream_certs_to_client_chain self.certstore = None self.clientcerts = None @@ -172,6 +161,8 @@ class ProxyConfig: self.upstream_server = parse_server_spec(options.upstream_server) if options.upstream_auth: self.upstream_auth = parse_upstream_auth(options.upstream_auth) + self.openssl_trusted_cadir_server = options.ssl_verify_upstream_trusted_cadir + self.openssl_trusted_ca_server = options.ssl_verify_upstream_trusted_ca def process_proxy_options(parser, options, args): @@ -183,7 +174,6 @@ def process_proxy_options(parser, options, args): "to the client chain." ) if args.auth_nonanonymous or args.auth_singleuser or args.auth_htpasswd: - if args.transparent_proxy: return parser.error("Proxy Authentication not supported in transparent mode.") @@ -205,7 +195,8 @@ def process_proxy_options(parser, options, args): elif args.auth_htpasswd: try: password_manager = authentication.PassManHtpasswd( - args.auth_htpasswd) + args.auth_htpasswd + ) except ValueError as v: return parser.error(v) authenticator = authentication.BasicProxyAuth(password_manager, "mitmproxy") @@ -222,10 +213,4 @@ def process_proxy_options(parser, options, args): authenticator=authenticator, ciphers_client=args.ciphers_client, ciphers_server=args.ciphers_server, - ssl_version_client=args.ssl_version_client, - ssl_version_server=args.ssl_version_server, - ssl_verify_upstream_cert=args.ssl_verify_upstream_cert, - ssl_verify_upstream_trusted_cadir=args.ssl_verify_upstream_trusted_cadir, - ssl_verify_upstream_trusted_ca=args.ssl_verify_upstream_trusted_ca, - add_upstream_certs_to_client_chain=args.add_upstream_certs_to_client_chain, ) diff --git a/test/mitmproxy/tservers.py b/test/mitmproxy/tservers.py index b7b1f001..2bfc27e8 100644 --- a/test/mitmproxy/tservers.py +++ b/test/mitmproxy/tservers.py @@ -123,9 +123,12 @@ class ProxyTestBase(object): cnf = dict( no_upstream_cert = cls.no_upstream_cert, authenticator = cls.authenticator, - add_upstream_certs_to_client_chain = cls.add_upstream_certs_to_client_chain, ) - return cnf, options.Options(listen_port=0, cadir=cls.cadir) + return cnf, options.Options( + listen_port=0, + cadir=cls.cadir, + add_upstream_certs_to_client_chain=cls.add_upstream_certs_to_client_chain + ) class HTTPProxyTest(ProxyTestBase): -- cgit v1.2.3