From e89e035d4a2c52aff77fdb3eaa01e8bdb1539a17 Mon Sep 17 00:00:00 2001
From: Aldo Cortesi <aldo@nullcube.com>
Date: Tue, 11 Mar 2014 13:02:10 +1300
Subject: Certificate forwarding.

---
 libmproxy/proxy/server.py | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

(limited to 'libmproxy/proxy/server.py')

diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py
index a5b95fb7..4723104e 100644
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@@ -188,7 +188,8 @@ class ConnectionHandler:
             self.client_conn.convert_to_ssl(
                 cert, key,
                 handle_sni = self.handle_sni,
-                cipher_list = self.config.ciphers
+                cipher_list = self.config.ciphers,
+                dhparams = self.config.certstore.dhparams
             )
 
     def server_reconnect(self, no_ssl=False):
@@ -217,18 +218,21 @@ class ConnectionHandler:
         self.channel.tell("log", Log(msg))
 
     def find_cert(self):
-        host = self.server_conn.address.host
-        sans = []
-        if not self.config.no_upstream_cert or not self.server_conn.ssl_established:
-            upstream_cert = self.server_conn.cert
-            if upstream_cert.cn:
-                host = upstream_cert.cn.decode("utf8").encode("idna")
-            sans = upstream_cert.altnames
-
-        ret = self.config.certstore.get_cert(host, sans)
-        if not ret:
-            raise ProxyError(502, "Unable to generate dummy cert.")
-        return ret
+        if self.config.certforward and self.server_conn.ssl_established:
+            return self.server_conn.cert, self.config.certstore.gen_pkey(self.server_conn.cert)
+        else:
+            host = self.server_conn.address.host
+            sans = []
+            if not self.config.no_upstream_cert or not self.server_conn.ssl_established:
+                upstream_cert = self.server_conn.cert
+                if upstream_cert.cn:
+                    host = upstream_cert.cn.decode("utf8").encode("idna")
+                sans = upstream_cert.altnames
+
+            ret = self.config.certstore.get_cert(host, sans)
+            if not ret:
+                raise ProxyError(502, "Unable to generate dummy cert.")
+            return ret
 
     def handle_sni(self, connection):
         """
@@ -251,4 +255,4 @@ class ConnectionHandler:
         # An unhandled exception in this method will core dump PyOpenSSL, so
         # make dang sure it doesn't happen.
         except Exception, e:  # pragma: no cover
-            pass
\ No newline at end of file
+            pass
-- 
cgit v1.2.3