From b369962cbe632588baf7b10917e3d31b91a18dbd Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Fri, 26 Jun 2015 13:27:40 +0200
Subject: remove certforward feature

The certforward feature was implemented to support #gotofail,
which only works on unpatched iOS devices. Given that many apps don't
support iOS 7 anymore, jailbreak+ssl killswitch is usually the better option.
By removing certforward, we can make netlib a pure python module again,
which significantly simplifies distribution.
---
 libmproxy/proxy/config.py |  8 --------
 libmproxy/proxy/server.py | 42 +++++++++++++++++++-----------------------
 test/test_server.py       |  8 --------
 test/tservers.py          |  2 --
 4 files changed, 19 insertions(+), 41 deletions(-)

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index b6d73314..a7a719cf 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -48,7 +48,6 @@ class ProxyConfig:
             ciphers_client=None,
             ciphers_server=None,
             certs=[],
-            certforward=False,
             ssl_version_client=tcp.SSL_DEFAULT_METHOD,
             ssl_version_server=tcp.SSL_DEFAULT_METHOD,
             ssl_ports=TRANSPARENT_SSL_PORTS,
@@ -91,7 +90,6 @@ class ProxyConfig:
             CONF_BASENAME)
         for spec, cert in certs:
             self.certstore.add_cert_file(spec, cert)
-        self.certforward = certforward
         self.ssl_ports = ssl_ports
 
         if isinstance(ssl_version_client, int):
@@ -202,7 +200,6 @@ def process_proxy_options(parser, options):
         ciphers_client=options.ciphers_client,
         ciphers_server=options.ciphers_server,
         certs=certs,
-        certforward=options.certforward,
         ssl_version_client=options.ssl_version_client,
         ssl_version_server=options.ssl_version_server,
         ssl_ports=ssl_ports,
@@ -225,11 +222,6 @@ def ssl_option_group(parser):
         'it is used, else the default key in the conf dir is used. '
         'The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. '
         'Can be passed multiple times.')
-    group.add_argument(
-        "--cert-forward", action="store_true",
-        dest="certforward", default=False,
-        help="Simply forward SSL certificates from upstream."
-    )
     group.add_argument(
         "--ciphers-client", action="store",
         type=str, dest="ciphers_client", default=None,
diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py
index 71704413..051e8489 100644
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@@ -303,29 +303,25 @@ class ConnectionHandler:
         self.channel.tell("log", Log(msg, level))
 
     def find_cert(self):
-        if self.config.certforward and self.server_conn.ssl_established:
-            return self.server_conn.cert, self.config.certstore.gen_pkey(
-                self.server_conn.cert), None
-        else:
-            host = self.server_conn.address.host
-            sans = []
-            if self.server_conn.ssl_established and (
-                    not self.config.no_upstream_cert):
-                upstream_cert = self.server_conn.cert
-                sans.extend(upstream_cert.altnames)
-                if upstream_cert.cn:
-                    sans.append(host)
-                    host = upstream_cert.cn.decode("utf8").encode("idna")
-            if self.server_conn.sni:
-                sans.append(self.server_conn.sni)
-            # for ssl spoof mode
-            if hasattr(self.client_conn, "sni"):
-                sans.append(self.client_conn.sni)
-
-            ret = self.config.certstore.get_cert(host, sans)
-            if not ret:
-                raise ProxyError(502, "Unable to generate dummy cert.")
-            return ret
+        host = self.server_conn.address.host
+        sans = []
+        if self.server_conn.ssl_established and (
+                not self.config.no_upstream_cert):
+            upstream_cert = self.server_conn.cert
+            sans.extend(upstream_cert.altnames)
+            if upstream_cert.cn:
+                sans.append(host)
+                host = upstream_cert.cn.decode("utf8").encode("idna")
+        if self.server_conn.sni:
+            sans.append(self.server_conn.sni)
+        # for ssl spoof mode
+        if hasattr(self.client_conn, "sni"):
+            sans.append(self.client_conn.sni)
+
+        ret = self.config.certstore.get_cert(host, sans)
+        if not ret:
+            raise ProxyError(502, "Unable to generate dummy cert.")
+        return ret
 
     def handle_sni(self, connection):
         """
diff --git a/test/test_server.py b/test/test_server.py
index 07b8a5f2..8cf4095b 100644
--- a/test/test_server.py
+++ b/test/test_server.py
@@ -757,14 +757,6 @@ class TestIncompleteResponse(tservers.HTTPProxTest):
         assert self.pathod("200").status_code == 502
 
 
-class TestCertForward(tservers.HTTPProxTest):
-    certforward = True
-    ssl = True
-
-    def test_app_err(self):
-        tutils.raises("handshake error", self.pathod, "200:b@100")
-
-
 class TestUpstreamProxy(tservers.HTTPUpstreamProxTest, CommonMixin, AppMixin):
     ssl = False
 
diff --git a/test/tservers.py b/test/tservers.py
index c70ad68a..96e340e9 100644
--- a/test/tservers.py
+++ b/test/tservers.py
@@ -89,7 +89,6 @@ class ProxTestBase(object):
     no_upstream_cert = False
     authenticator = None
     masterclass = TestMaster
-    certforward = False
 
     @classmethod
     def setupAll(cls):
@@ -131,7 +130,6 @@ class ProxTestBase(object):
             no_upstream_cert = cls.no_upstream_cert,
             cadir = cls.cadir,
             authenticator = cls.authenticator,
-            certforward = cls.certforward,
             ssl_ports=([cls.server.port, cls.server2.port] if cls.ssl else []),
             clientcerts = tutils.test_data.path("data/clientcert") if cls.clientcerts else None
         )
-- 
cgit v1.2.3