diff options
author | Maximilian Hils <git@maximilianhils.com> | 2015-06-26 13:27:40 +0200 |
---|---|---|
committer | Maximilian Hils <git@maximilianhils.com> | 2015-06-26 13:27:40 +0200 |
commit | b369962cbe632588baf7b10917e3d31b91a18dbd (patch) | |
tree | 17b159340db4f3458d926e97fdd0d60cb02210aa | |
parent | 876252eba8272409e29ddea2806835e147bc6f70 (diff) | |
download | mitmproxy-b369962cbe632588baf7b10917e3d31b91a18dbd.tar.gz mitmproxy-b369962cbe632588baf7b10917e3d31b91a18dbd.tar.bz2 mitmproxy-b369962cbe632588baf7b10917e3d31b91a18dbd.zip |
remove certforward feature
The certforward feature was implemented to support #gotofail,
which only works on unpatched iOS devices. Given that many apps don't
support iOS 7 anymore, jailbreak+ssl killswitch is usually the better option.
By removing certforward, we can make netlib a pure python module again,
which significantly simplifies distribution.
-rw-r--r-- | libmproxy/proxy/config.py | 8 | ||||
-rw-r--r-- | libmproxy/proxy/server.py | 42 | ||||
-rw-r--r-- | test/test_server.py | 8 | ||||
-rw-r--r-- | test/tservers.py | 2 |
4 files changed, 19 insertions, 41 deletions
diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index b6d73314..a7a719cf 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -48,7 +48,6 @@ class ProxyConfig: ciphers_client=None, ciphers_server=None, certs=[], - certforward=False, ssl_version_client=tcp.SSL_DEFAULT_METHOD, ssl_version_server=tcp.SSL_DEFAULT_METHOD, ssl_ports=TRANSPARENT_SSL_PORTS, @@ -91,7 +90,6 @@ class ProxyConfig: CONF_BASENAME) for spec, cert in certs: self.certstore.add_cert_file(spec, cert) - self.certforward = certforward self.ssl_ports = ssl_ports if isinstance(ssl_version_client, int): @@ -202,7 +200,6 @@ def process_proxy_options(parser, options): ciphers_client=options.ciphers_client, ciphers_server=options.ciphers_server, certs=certs, - certforward=options.certforward, ssl_version_client=options.ssl_version_client, ssl_version_server=options.ssl_version_server, ssl_ports=ssl_ports, @@ -226,11 +223,6 @@ def ssl_option_group(parser): 'The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. ' 'Can be passed multiple times.') group.add_argument( - "--cert-forward", action="store_true", - dest="certforward", default=False, - help="Simply forward SSL certificates from upstream." - ) - group.add_argument( "--ciphers-client", action="store", type=str, dest="ciphers_client", default=None, help="Set supported ciphers for client connections. (OpenSSL Syntax)" diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py index 71704413..051e8489 100644 --- a/libmproxy/proxy/server.py +++ b/libmproxy/proxy/server.py @@ -303,29 +303,25 @@ class ConnectionHandler: self.channel.tell("log", Log(msg, level)) def find_cert(self): - if self.config.certforward and self.server_conn.ssl_established: - return self.server_conn.cert, self.config.certstore.gen_pkey( - self.server_conn.cert), None - else: - host = self.server_conn.address.host - sans = [] - if self.server_conn.ssl_established and ( - not self.config.no_upstream_cert): - upstream_cert = self.server_conn.cert - sans.extend(upstream_cert.altnames) - if upstream_cert.cn: - sans.append(host) - host = upstream_cert.cn.decode("utf8").encode("idna") - if self.server_conn.sni: - sans.append(self.server_conn.sni) - # for ssl spoof mode - if hasattr(self.client_conn, "sni"): - sans.append(self.client_conn.sni) - - ret = self.config.certstore.get_cert(host, sans) - if not ret: - raise ProxyError(502, "Unable to generate dummy cert.") - return ret + host = self.server_conn.address.host + sans = [] + if self.server_conn.ssl_established and ( + not self.config.no_upstream_cert): + upstream_cert = self.server_conn.cert + sans.extend(upstream_cert.altnames) + if upstream_cert.cn: + sans.append(host) + host = upstream_cert.cn.decode("utf8").encode("idna") + if self.server_conn.sni: + sans.append(self.server_conn.sni) + # for ssl spoof mode + if hasattr(self.client_conn, "sni"): + sans.append(self.client_conn.sni) + + ret = self.config.certstore.get_cert(host, sans) + if not ret: + raise ProxyError(502, "Unable to generate dummy cert.") + return ret def handle_sni(self, connection): """ diff --git a/test/test_server.py b/test/test_server.py index 07b8a5f2..8cf4095b 100644 --- a/test/test_server.py +++ b/test/test_server.py @@ -757,14 +757,6 @@ class TestIncompleteResponse(tservers.HTTPProxTest): assert self.pathod("200").status_code == 502 -class TestCertForward(tservers.HTTPProxTest): - certforward = True - ssl = True - - def test_app_err(self): - tutils.raises("handshake error", self.pathod, "200:b@100") - - class TestUpstreamProxy(tservers.HTTPUpstreamProxTest, CommonMixin, AppMixin): ssl = False diff --git a/test/tservers.py b/test/tservers.py index c70ad68a..96e340e9 100644 --- a/test/tservers.py +++ b/test/tservers.py @@ -89,7 +89,6 @@ class ProxTestBase(object): no_upstream_cert = False authenticator = None masterclass = TestMaster - certforward = False @classmethod def setupAll(cls): @@ -131,7 +130,6 @@ class ProxTestBase(object): no_upstream_cert = cls.no_upstream_cert, cadir = cls.cadir, authenticator = cls.authenticator, - certforward = cls.certforward, ssl_ports=([cls.server.port, cls.server2.port] if cls.ssl else []), clientcerts = tutils.test_data.path("data/clientcert") if cls.clientcerts else None ) |