From f0ad1f334ca57fdf57a3bfb190d314fc8d983475 Mon Sep 17 00:00:00 2001
From: Kyle Morton <kylemorton@google.com>
Date: Mon, 29 Jun 2015 10:32:57 -0700
Subject: Enabling upstream server verification. Added flags
 --verify_upstream_cert, --upstream-trusted-cadir, and --upstream-trusted-ca.

---
 libmproxy/proxy/config.py | 32 +++++++++++++++++++++++++++++++-
 libmproxy/proxy/server.py | 17 +++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)

(limited to 'libmproxy')

diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index a7a719cf..c5306b4a 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -52,6 +52,9 @@ class ProxyConfig:
             ssl_version_server=tcp.SSL_DEFAULT_METHOD,
             ssl_ports=TRANSPARENT_SSL_PORTS,
             spoofed_ssl_port=None,
+            ssl_verify_upstream_cert=False,
+            ssl_upstream_trusted_cadir=None,
+            ssl_upstream_trusted_ca=None
     ):
         self.host = host
         self.port = port
@@ -100,6 +103,13 @@ class ProxyConfig:
             self.openssl_method_server = ssl_version_server
         else:
             self.openssl_method_server = tcp.SSL_VERSIONS[ssl_version_server]
+        
+        if ssl_verify_upstream_cert:
+            self.openssl_verification_mode_server = SSL.VERIFY_PEER
+        else:
+            self.openssl_verification_mode_server = SSL.VERIFY_NONE
+        self.openssl_trusted_cadir_server = ssl_upstream_trusted_cadir
+        self.openssl_trusted_ca_server = ssl_upstream_trusted_ca
 
         self.openssl_options_client = tcp.SSL_DEFAULT_OPTIONS
         self.openssl_options_server = tcp.SSL_DEFAULT_OPTIONS
@@ -203,7 +213,10 @@ def process_proxy_options(parser, options):
         ssl_version_client=options.ssl_version_client,
         ssl_version_server=options.ssl_version_server,
         ssl_ports=ssl_ports,
-        spoofed_ssl_port=spoofed_ssl_port
+        spoofed_ssl_port=spoofed_ssl_port,
+        ssl_verify_upstream_cert=options.ssl_verify_upstream_cert,
+        ssl_upstream_trusted_cadir=options.ssl_upstream_trusted_cadir,
+        ssl_upstream_trusted_ca=options.ssl_upstream_trusted_ca
     )
 
 
@@ -242,6 +255,23 @@ def ssl_option_group(parser):
         action="store_true", dest="no_upstream_cert",
         help="Don't connect to upstream server to look up certificate details."
     )
+    group.add_argument(
+        "--verify-upstream-cert", default=False,
+        action="store_true", dest="ssl_verify_upstream_cert",
+        help="Verify upstream server SSL/TLS certificates and fail if invalid "
+             "or not present."
+    )
+    group.add_argument(
+        "--upstream-trusted-cadir", default=None, action="store",
+        dest="ssl_upstream_trusted_cadir",
+        help="Path to a directory of trusted CA certificates for upstream "
+             "server verification prepared using the c_rehash tool."
+    )
+    group.add_argument(
+        "--upstream-trusted-ca", default=None, action="store",
+        dest="ssl_upstream_trusted_ca",
+        help="Path to a PEM formatted trusted CA certificate."
+    )
     group.add_argument(
         "--ssl-port",
         action="append",
diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py
index 051e8489..2711bd0e 100644
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@@ -235,8 +235,18 @@ class ConnectionHandler:
                     sni,
                     method=self.config.openssl_method_server,
                     options=self.config.openssl_options_server,
+                    verify_options=self.config.openssl_verification_mode_server,
+                    ca_path=self.config.openssl_trusted_cadir_server,
+                    ca_pemfile=self.config.openssl_trusted_ca_server,
                     cipher_list=self.config.ciphers_server,
                 )
+                ssl_cert_err = self.server_conn.ssl_verification_error
+                if ssl_cert_err is not None:
+                    self.log(
+                        "SSL verification failed for upstream server at depth %s with error: %s" % 
+                            (ssl_cert_err['depth'], ssl_cert_err['errno']),
+                        "error")
+                    self.log("Ignoring server verification error, continuing with connection", "error")
             except tcp.NetLibError as v:
                 e = ProxyError(502, repr(v))
                 # Workaround for https://github.com/mitmproxy/mitmproxy/issues/427
@@ -246,6 +256,13 @@ class ConnectionHandler:
                 if client and "handshake failure" in e.message:
                     self.server_conn.may_require_sni = e
                 else:
+                    ssl_cert_err = self.server_conn.ssl_verification_error
+                    if ssl_cert_err is not None:
+                        self.log(
+                            "SSL verification failed for upstream server at depth %s with error: %s" % 
+                                (ssl_cert_err['depth'], ssl_cert_err['errno']),
+                            "error")
+                        self.log("Aborting connection attempt", "error")
                     raise e
         if client:
             if self.client_conn.ssl_established:
-- 
cgit v1.2.3