From 778644d4b810e87ce20cf9da1dca55913c2ffd07 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Wed, 26 Aug 2015 15:12:04 +0200
Subject: http2: fix bugs, chrome works :tada:

---
 libmproxy/proxy/config.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index ec91a6e0..4ca15747 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -14,6 +14,9 @@ TRANSPARENT_SSL_PORTS = [443, 8443]
 CONF_BASENAME = "mitmproxy"
 CA_DIR = "~/.mitmproxy"
 
+# We manually need to specify this, otherwise OpenSSL may select a non-HTTP2 cipher by default.
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.15&openssl=1.0.2&hsts=yes&profile=old
+DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 
 class HostMatcher(object):
     def __init__(self, patterns=[]):
@@ -241,7 +244,7 @@ def ssl_option_group(parser):
         'Can be passed multiple times.')
     group.add_argument(
         "--ciphers-client", action="store",
-        type=str, dest="ciphers_client", default=None,
+        type=str, dest="ciphers_client", default=DEFAULT_CLIENT_CIPHERS,
         help="Set supported ciphers for client connections. (OpenSSL Syntax)"
     )
     group.add_argument(
-- 
cgit v1.2.3


From 5b17496c7e5ea3c40a910c4973eeb7bfbcf065bd Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Thu, 27 Aug 2015 18:31:15 +0200
Subject: start fixing proxy config

---
 libmproxy/proxy/config.py | 48 ++++++-----------------------------------------
 1 file changed, 6 insertions(+), 42 deletions(-)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 4ca15747..83030235 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -3,14 +3,11 @@ import os
 import re
 from OpenSSL import SSL
 
-import netlib
-from netlib import http, certutils, tcp
+from netlib import certutils, tcp
 from netlib.http import authentication
 
-from .. import utils, platform, version
-from .primitives import RegularProxyMode, SpoofMode, SSLSpoofMode, TransparentProxyMode, UpstreamProxyMode, ReverseProxyMode, Socks5ProxyMode
+from .. import utils, platform
 
-TRANSPARENT_SSL_PORTS = [443, 8443]
 CONF_BASENAME = "mitmproxy"
 CA_DIR = "~/.mitmproxy"
 
@@ -40,15 +37,12 @@ class ProxyConfig:
             self,
             host='',
             port=8080,
-            server_version=version.NAMEVERSION,
             cadir=CA_DIR,
             clientcerts=None,
             no_upstream_cert=False,
             body_size_limit=None,
             mode=None,
             upstream_server=None,
-            http_form_in=None,
-            http_form_out=None,
             authenticator=None,
             ignore_hosts=[],
             tcp_hosts=[],
@@ -57,39 +51,19 @@ class ProxyConfig:
             certs=[],
             ssl_version_client=tcp.SSL_DEFAULT_METHOD,
             ssl_version_server=tcp.SSL_DEFAULT_METHOD,
-            ssl_ports=TRANSPARENT_SSL_PORTS,
-            spoofed_ssl_port=None,
             ssl_verify_upstream_cert=False,
             ssl_upstream_trusted_cadir=None,
             ssl_upstream_trusted_ca=None
     ):
         self.host = host
         self.port = port
-        self.server_version = server_version
         self.ciphers_client = ciphers_client
         self.ciphers_server = ciphers_server
         self.clientcerts = clientcerts
         self.no_upstream_cert = no_upstream_cert
         self.body_size_limit = body_size_limit
-
-        if mode == "transparent":
-            self.mode = TransparentProxyMode(platform.resolver(), ssl_ports)
-        elif mode == "socks5":
-            self.mode = Socks5ProxyMode(ssl_ports)
-        elif mode == "reverse":
-            self.mode = ReverseProxyMode(upstream_server)
-        elif mode == "upstream":
-            self.mode = UpstreamProxyMode(upstream_server)
-        elif mode == "spoof":
-            self.mode = SpoofMode()
-        elif mode == "sslspoof":
-            self.mode = SSLSpoofMode(spoofed_ssl_port)
-        else:
-            self.mode = RegularProxyMode()
-
-        # Handle manual overrides of the http forms
-        self.mode.http_form_in = http_form_in or self.mode.http_form_in
-        self.mode.http_form_out = http_form_out or self.mode.http_form_out
+        self.mode = mode
+        self.upstream_server = upstream_server
 
         self.check_ignore = HostMatcher(ignore_hosts)
         self.check_tcp = HostMatcher(tcp_hosts)
@@ -97,10 +71,10 @@ class ProxyConfig:
         self.cadir = os.path.expanduser(cadir)
         self.certstore = certutils.CertStore.from_store(
             self.cadir,
-            CONF_BASENAME)
+            CONF_BASENAME
+        )
         for spec, cert in certs:
             self.certstore.add_cert_file(spec, cert)
-        self.ssl_ports = ssl_ports
 
         if isinstance(ssl_version_client, int):
             self.openssl_method_client = ssl_version_client
@@ -279,16 +253,6 @@ def ssl_option_group(parser):
         dest="ssl_upstream_trusted_ca",
         help="Path to a PEM formatted trusted CA certificate."
     )
-    group.add_argument(
-        "--ssl-port",
-        action="append",
-        type=int,
-        dest="ssl_ports",
-        default=list(TRANSPARENT_SSL_PORTS),
-        metavar="PORT",
-        help="Can be passed multiple times. Specify destination ports which are assumed to be SSL. "
-        "Defaults to %s." %
-        str(TRANSPARENT_SSL_PORTS))
     group.add_argument(
         "--ssl-version-client", dest="ssl_version_client", type=str, default=tcp.SSL_DEFAULT_VERSION,
         choices=tcp.SSL_VERSIONS.keys(),
-- 
cgit v1.2.3


From a86491eeed13c7889356e5102312f52bd86c3c66 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Thu, 27 Aug 2015 18:37:16 +0200
Subject: Revert "unify SSL version/method handling"

This reverts commit 14e49f4fc7a38b63099ab0d42afd213b0d567c0f.
---
 libmproxy/proxy/config.py | 69 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 44 insertions(+), 25 deletions(-)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 83030235..f438e9c2 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -49,11 +49,11 @@ class ProxyConfig:
             ciphers_client=None,
             ciphers_server=None,
             certs=[],
-            ssl_version_client=tcp.SSL_DEFAULT_METHOD,
-            ssl_version_server=tcp.SSL_DEFAULT_METHOD,
+            ssl_version_client="secure",
+            ssl_version_server="secure",
             ssl_verify_upstream_cert=False,
             ssl_upstream_trusted_cadir=None,
-            ssl_upstream_trusted_ca=None
+            ssl_upstream_trusted_ca=None,
     ):
         self.host = host
         self.port = port
@@ -76,14 +76,10 @@ class ProxyConfig:
         for spec, cert in certs:
             self.certstore.add_cert_file(spec, cert)
 
-        if isinstance(ssl_version_client, int):
-            self.openssl_method_client = ssl_version_client
-        else:
-            self.openssl_method_client = tcp.SSL_VERSIONS[ssl_version_client]
-        if isinstance(ssl_version_server, int):
-            self.openssl_method_server = ssl_version_server
-        else:
-            self.openssl_method_server = tcp.SSL_VERSIONS[ssl_version_server]
+        self.openssl_method_client, self.openssl_options_client = version_to_openssl(
+            ssl_version_client)
+        self.openssl_method_server, self.openssl_options_server = version_to_openssl(
+            ssl_version_server)
 
         if ssl_verify_upstream_cert:
             self.openssl_verification_mode_server = SSL.VERIFY_PEER
@@ -92,8 +88,33 @@ class ProxyConfig:
         self.openssl_trusted_cadir_server = ssl_upstream_trusted_cadir
         self.openssl_trusted_ca_server = ssl_upstream_trusted_ca
 
-        self.openssl_options_client = tcp.SSL_DEFAULT_OPTIONS
-        self.openssl_options_server = tcp.SSL_DEFAULT_OPTIONS
+
+sslversion_choices = (
+    "all",
+    "secure",
+    "SSLv2",
+    "SSLv3",
+    "TLSv1",
+    "TLSv1_1",
+    "TLSv1_2")
+
+
+def version_to_openssl(version):
+    """
+    Convert a reasonable SSL version specification into the format OpenSSL expects.
+    Don't ask...
+    https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
+    """
+    if version == "all":
+        return SSL.SSLv23_METHOD, None
+    elif version == "secure":
+        # SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+
+        # TLSv1_METHOD would be TLS 1.0 only
+        return SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
+    elif version in sslversion_choices:
+        return getattr(SSL, "%s_METHOD" % version), None
+    else:
+        raise ValueError("Invalid SSL version: %s" % version)
 
 
 def process_proxy_options(parser, options):
@@ -254,18 +275,16 @@ def ssl_option_group(parser):
         help="Path to a PEM formatted trusted CA certificate."
     )
     group.add_argument(
-        "--ssl-version-client", dest="ssl_version_client", type=str, default=tcp.SSL_DEFAULT_VERSION,
-        choices=tcp.SSL_VERSIONS.keys(),
-        help=""""
-            Use a specified protocol for client connections:
-            TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23.
-            Default to SSLv23."""
+        "--ssl-version-client", dest="ssl_version_client",
+        default="secure", action="store",
+        choices=sslversion_choices,
+        help="Set supported SSL/TLS version for client connections. "
+             "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure."
     )
     group.add_argument(
-        "--ssl-version-server", dest="ssl_version_server", type=str, default=tcp.SSL_DEFAULT_VERSION,
-        choices=tcp.SSL_VERSIONS.keys(),
-        help=""""
-            Use a specified protocol for server connections:
-            TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23.
-            Default to SSLv23."""
+        "--ssl-version-server", dest="ssl_version_server",
+        default="secure", action="store",
+        choices=sslversion_choices,
+        help="Set supported SSL/TLS version for server connections. "
+             "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure."
     )
-- 
cgit v1.2.3


From 1cc48345e13917aadc1e0fd93d6011139e78e3d9 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Fri, 28 Aug 2015 01:51:13 +0200
Subject: clean up config/cmdline, fix bugs, remove cruft

---
 libmproxy/proxy/config.py | 196 +++++++++++++---------------------------------
 1 file changed, 55 insertions(+), 141 deletions(-)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index f438e9c2..8ab5a216 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -1,4 +1,5 @@
 from __future__ import absolute_import
+import collections
 import os
 import re
 from OpenSSL import SSL
@@ -7,6 +8,7 @@ from netlib import certutils, tcp
 from netlib.http import authentication
 
 from .. import utils, platform
+from netlib.tcp import Address
 
 CONF_BASENAME = "mitmproxy"
 CA_DIR = "~/.mitmproxy"
@@ -15,8 +17,9 @@ CA_DIR = "~/.mitmproxy"
 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.15&openssl=1.0.2&hsts=yes&profile=old
 DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 
+
 class HostMatcher(object):
-    def __init__(self, patterns=[]):
+    def __init__(self, patterns=tuple()):
         self.patterns = list(patterns)
         self.regexes = [re.compile(p, re.IGNORECASE) for p in self.patterns]
 
@@ -32,6 +35,9 @@ class HostMatcher(object):
         return bool(self.patterns)
 
 
+ServerSpec = collections.namedtuple("ServerSpec", "scheme address")
+
+
 class ProxyConfig:
     def __init__(
             self,
@@ -41,19 +47,19 @@ class ProxyConfig:
             clientcerts=None,
             no_upstream_cert=False,
             body_size_limit=None,
-            mode=None,
+            mode="regular",
             upstream_server=None,
             authenticator=None,
-            ignore_hosts=[],
-            tcp_hosts=[],
+            ignore_hosts=tuple(),
+            tcp_hosts=tuple(),
             ciphers_client=None,
             ciphers_server=None,
-            certs=[],
+            certs=tuple(),
             ssl_version_client="secure",
             ssl_version_server="secure",
             ssl_verify_upstream_cert=False,
-            ssl_upstream_trusted_cadir=None,
-            ssl_upstream_trusted_ca=None,
+            ssl_verify_upstream_trusted_cadir=None,
+            ssl_verify_upstream_trusted_ca=None,
     ):
         self.host = host
         self.port = port
@@ -63,7 +69,10 @@ class ProxyConfig:
         self.no_upstream_cert = no_upstream_cert
         self.body_size_limit = body_size_limit
         self.mode = mode
-        self.upstream_server = upstream_server
+        if upstream_server:
+            self.upstream_server = ServerSpec(upstream_server[0], Address.wrap(upstream_server[1]))
+        else:
+            self.upstream_server = None
 
         self.check_ignore = HostMatcher(ignore_hosts)
         self.check_tcp = HostMatcher(tcp_hosts)
@@ -76,57 +85,46 @@ class ProxyConfig:
         for spec, cert in certs:
             self.certstore.add_cert_file(spec, cert)
 
-        self.openssl_method_client, self.openssl_options_client = version_to_openssl(
-            ssl_version_client)
-        self.openssl_method_server, self.openssl_options_server = version_to_openssl(
-            ssl_version_server)
+        self.openssl_method_client, self.openssl_options_client = \
+            sslversion_choices[ssl_version_client]
+        self.openssl_method_server, self.openssl_options_server = \
+            sslversion_choices[ssl_version_server]
 
         if ssl_verify_upstream_cert:
             self.openssl_verification_mode_server = SSL.VERIFY_PEER
         else:
             self.openssl_verification_mode_server = SSL.VERIFY_NONE
-        self.openssl_trusted_cadir_server = ssl_upstream_trusted_cadir
-        self.openssl_trusted_ca_server = ssl_upstream_trusted_ca
-
-
-sslversion_choices = (
-    "all",
-    "secure",
-    "SSLv2",
-    "SSLv3",
-    "TLSv1",
-    "TLSv1_1",
-    "TLSv1_2")
-
-
-def version_to_openssl(version):
-    """
-    Convert a reasonable SSL version specification into the format OpenSSL expects.
-    Don't ask...
-    https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
-    """
-    if version == "all":
-        return SSL.SSLv23_METHOD, None
-    elif version == "secure":
-        # SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+
-        # TLSv1_METHOD would be TLS 1.0 only
-        return SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
-    elif version in sslversion_choices:
-        return getattr(SSL, "%s_METHOD" % version), None
-    else:
-        raise ValueError("Invalid SSL version: %s" % version)
+        self.openssl_trusted_cadir_server = ssl_verify_upstream_trusted_cadir
+        self.openssl_trusted_ca_server = ssl_verify_upstream_trusted_ca
+
+
+"""
+Map a reasonable SSL version specification into the format OpenSSL expects.
+Don't ask...
+https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
+"""
+sslversion_choices = {
+    "all": (SSL.SSLv23_METHOD, 0),
+    # SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+
+    # TLSv1_METHOD would be TLS 1.0 only
+    "secure": (SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)),
+    "SSLv2": (SSL.SSLv2_METHOD, 0),
+    "SSLv3": (SSL.SSLv3_METHOD, 0),
+    "TLSv1": (SSL.TLSv1_METHOD, 0),
+    "TLSv1_1": (SSL.TLSv1_1_METHOD, 0),
+    "TLSv1_2": (SSL.TLSv1_2_METHOD, 0),
+}
 
 
 def process_proxy_options(parser, options):
     body_size_limit = utils.parse_size(options.body_size_limit)
 
     c = 0
-    mode, upstream_server, spoofed_ssl_port = None, None, None
+    mode, upstream_server = "regular", None
     if options.transparent_proxy:
         c += 1
         if not platform.resolver:
-            return parser.error(
-                "Transparent mode not supported on this platform.")
+            return parser.error("Transparent mode not supported on this platform.")
         mode = "transparent"
     if options.socks_proxy:
         c += 1
@@ -139,32 +137,26 @@ def process_proxy_options(parser, options):
         c += 1
         mode = "upstream"
         upstream_server = options.upstream_proxy
-    if options.spoof_mode:
-        c += 1
-        mode = "spoof"
-    if options.ssl_spoof_mode:
-        c += 1
-        mode = "sslspoof"
-        spoofed_ssl_port = options.spoofed_ssl_port
     if c > 1:
         return parser.error(
             "Transparent, SOCKS5, reverse and upstream proxy mode "
-            "are mutually exclusive.")
+            "are mutually exclusive. Read the docs on proxy modes to understand why."
+        )
 
     if options.clientcerts:
         options.clientcerts = os.path.expanduser(options.clientcerts)
-        if not os.path.exists(
-                options.clientcerts) or not os.path.isdir(
-                options.clientcerts):
+        if not os.path.exists(options.clientcerts) or not os.path.isdir(options.clientcerts):
             return parser.error(
                 "Client certificate directory does not exist or is not a directory: %s" %
-                options.clientcerts)
+                options.clientcerts
+            )
 
-    if (options.auth_nonanonymous or options.auth_singleuser or options.auth_htpasswd):
+    if options.auth_nonanonymous or options.auth_singleuser or options.auth_htpasswd:
         if options.auth_singleuser:
             if len(options.auth_singleuser.split(':')) != 2:
                 return parser.error(
-                    "Invalid single-user specification. Please use the format username:password")
+                    "Invalid single-user specification. Please use the format username:password"
+                )
             username, password = options.auth_singleuser.split(':')
             password_manager = authentication.PassManSingleUser(username, password)
         elif options.auth_nonanonymous:
@@ -189,12 +181,6 @@ def process_proxy_options(parser, options):
             parser.error("Certificate file does not exist: %s" % parts[1])
         certs.append(parts)
 
-    ssl_ports = options.ssl_ports
-    if options.ssl_ports != TRANSPARENT_SSL_PORTS:
-        # arparse appends to default value by default, strip that off.
-        # see http://bugs.python.org/issue16399
-        ssl_ports = ssl_ports[len(TRANSPARENT_SSL_PORTS):]
-
     return ProxyConfig(
         host=options.addr,
         port=options.port,
@@ -204,87 +190,15 @@ def process_proxy_options(parser, options):
         body_size_limit=body_size_limit,
         mode=mode,
         upstream_server=upstream_server,
-        http_form_in=options.http_form_in,
-        http_form_out=options.http_form_out,
         ignore_hosts=options.ignore_hosts,
         tcp_hosts=options.tcp_hosts,
         authenticator=authenticator,
         ciphers_client=options.ciphers_client,
         ciphers_server=options.ciphers_server,
-        certs=certs,
+        certs=tuple(certs),
         ssl_version_client=options.ssl_version_client,
         ssl_version_server=options.ssl_version_server,
-        ssl_ports=ssl_ports,
-        spoofed_ssl_port=spoofed_ssl_port,
         ssl_verify_upstream_cert=options.ssl_verify_upstream_cert,
-        ssl_upstream_trusted_cadir=options.ssl_upstream_trusted_cadir,
-        ssl_upstream_trusted_ca=options.ssl_upstream_trusted_ca
-    )
-
-
-def ssl_option_group(parser):
-    group = parser.add_argument_group("SSL")
-    group.add_argument(
-        "--cert",
-        dest='certs',
-        default=[],
-        type=str,
-        metavar="SPEC",
-        action="append",
-        help='Add an SSL certificate. SPEC is of the form "[domain=]path". '
-        'The domain may include a wildcard, and is equal to "*" if not specified. '
-        'The file at path is a certificate in PEM format. If a private key is included in the PEM, '
-        'it is used, else the default key in the conf dir is used. '
-        'The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. '
-        'Can be passed multiple times.')
-    group.add_argument(
-        "--ciphers-client", action="store",
-        type=str, dest="ciphers_client", default=DEFAULT_CLIENT_CIPHERS,
-        help="Set supported ciphers for client connections. (OpenSSL Syntax)"
-    )
-    group.add_argument(
-        "--ciphers-server", action="store",
-        type=str, dest="ciphers_server", default=None,
-        help="Set supported ciphers for server connections. (OpenSSL Syntax)"
-    )
-    group.add_argument(
-        "--client-certs", action="store",
-        type=str, dest="clientcerts", default=None,
-        help="Client certificate directory."
-    )
-    group.add_argument(
-        "--no-upstream-cert", default=False,
-        action="store_true", dest="no_upstream_cert",
-        help="Don't connect to upstream server to look up certificate details."
-    )
-    group.add_argument(
-        "--verify-upstream-cert", default=False,
-        action="store_true", dest="ssl_verify_upstream_cert",
-        help="Verify upstream server SSL/TLS certificates and fail if invalid "
-             "or not present."
-    )
-    group.add_argument(
-        "--upstream-trusted-cadir", default=None, action="store",
-        dest="ssl_upstream_trusted_cadir",
-        help="Path to a directory of trusted CA certificates for upstream "
-             "server verification prepared using the c_rehash tool."
-    )
-    group.add_argument(
-        "--upstream-trusted-ca", default=None, action="store",
-        dest="ssl_upstream_trusted_ca",
-        help="Path to a PEM formatted trusted CA certificate."
-    )
-    group.add_argument(
-        "--ssl-version-client", dest="ssl_version_client",
-        default="secure", action="store",
-        choices=sslversion_choices,
-        help="Set supported SSL/TLS version for client connections. "
-             "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure."
-    )
-    group.add_argument(
-        "--ssl-version-server", dest="ssl_version_server",
-        default="secure", action="store",
-        choices=sslversion_choices,
-        help="Set supported SSL/TLS version for server connections. "
-             "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure."
-    )
+        ssl_verify_upstream_trusted_cadir=options.ssl_verify_upstream_trusted_cadir,
+        ssl_verify_upstream_trusted_ca=options.ssl_verify_upstream_trusted_ca
+    )
\ No newline at end of file
-- 
cgit v1.2.3


From 2dfba2105b4b5ad094ee364124c0552d2e4a4947 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Sat, 29 Aug 2015 12:34:01 +0200
Subject: move sslversion mapping to netlib

---
 libmproxy/proxy/config.py | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 8ab5a216..415ee215 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -8,7 +8,7 @@ from netlib import certutils, tcp
 from netlib.http import authentication
 
 from .. import utils, platform
-from netlib.tcp import Address
+from netlib.tcp import Address, sslversion_choices
 
 CONF_BASENAME = "mitmproxy"
 CA_DIR = "~/.mitmproxy"
@@ -98,24 +98,6 @@ class ProxyConfig:
         self.openssl_trusted_ca_server = ssl_verify_upstream_trusted_ca
 
 
-"""
-Map a reasonable SSL version specification into the format OpenSSL expects.
-Don't ask...
-https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
-"""
-sslversion_choices = {
-    "all": (SSL.SSLv23_METHOD, 0),
-    # SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+
-    # TLSv1_METHOD would be TLS 1.0 only
-    "secure": (SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)),
-    "SSLv2": (SSL.SSLv2_METHOD, 0),
-    "SSLv3": (SSL.SSLv3_METHOD, 0),
-    "TLSv1": (SSL.TLSv1_METHOD, 0),
-    "TLSv1_1": (SSL.TLSv1_1_METHOD, 0),
-    "TLSv1_2": (SSL.TLSv1_2_METHOD, 0),
-}
-
-
 def process_proxy_options(parser, options):
     body_size_limit = utils.parse_size(options.body_size_limit)
 
-- 
cgit v1.2.3


From 1dd09a5509219e7390abbb8c0b6818c7e792daa1 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Sun, 30 Aug 2015 02:27:38 +0200
Subject: always insert tls layer for inline script upgrades

---
 libmproxy/proxy/config.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 415ee215..b360abbd 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -24,6 +24,8 @@ class HostMatcher(object):
         self.regexes = [re.compile(p, re.IGNORECASE) for p in self.patterns]
 
     def __call__(self, address):
+        if not address:
+            return False
         address = tcp.Address.wrap(address)
         host = "%s:%s" % (address.host, address.port)
         if any(rex.search(host) for rex in self.regexes):
-- 
cgit v1.2.3


From a86ec56012136664688fa4a8efcd866b5e3e17a8 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Sun, 30 Aug 2015 15:27:29 +0200
Subject: move files around

---
 libmproxy/proxy/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index b360abbd..65029087 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -6,9 +6,9 @@ from OpenSSL import SSL
 
 from netlib import certutils, tcp
 from netlib.http import authentication
+from netlib.tcp import Address, sslversion_choices
 
 from .. import utils, platform
-from netlib.tcp import Address, sslversion_choices
 
 CONF_BASENAME = "mitmproxy"
 CA_DIR = "~/.mitmproxy"
-- 
cgit v1.2.3


From 7450bef615436d39bcd2a0d2a8892b8f42beea6f Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Mon, 31 Aug 2015 13:43:30 +0200
Subject: fix dns_spoofing example, avoid connecting to itself

---
 libmproxy/proxy/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 65029087..8d2a286d 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -1,4 +1,4 @@
-from __future__ import absolute_import
+from __future__ import (absolute_import, print_function, division)
 import collections
 import os
 import re
-- 
cgit v1.2.3


From 481cc6ea842dc3c531c45a4bd228bdd6ebcc4229 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Mon, 31 Aug 2015 17:29:14 +0200
Subject: we don't support socks auth, refs #738

---
 libmproxy/proxy/config.py | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'libmproxy/proxy/config.py')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 8d2a286d..2a1b84cb 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -136,6 +136,13 @@ def process_proxy_options(parser, options):
             )
 
     if options.auth_nonanonymous or options.auth_singleuser or options.auth_htpasswd:
+
+        if options.socks_proxy:
+            return parser.error(
+                "Proxy Authentication not supported in SOCKS mode. "
+                "https://github.com/mitmproxy/mitmproxy/issues/738"
+            )
+
         if options.auth_singleuser:
             if len(options.auth_singleuser.split(':')) != 2:
                 return parser.error(
-- 
cgit v1.2.3