diff options
| author | Sachin Kelkar <sachinkel19@gmail.com> | 2016-07-27 17:57:38 -0700 |
|---|---|---|
| committer | Maximilian Hils <git@maximilianhils.com> | 2016-07-27 17:57:38 -0700 |
| commit | 17fdb841f023a546ebb56bc8ae81fb6f74b224cc (patch) | |
| tree | 178b84e74637bd096621d661c594e6dc9a5592aa /test | |
| parent | 3636ed7d41a53819e38996022c16326a53e47a9e (diff) | |
| download | mitmproxy-17fdb841f023a546ebb56bc8ae81fb6f74b224cc.tar.gz mitmproxy-17fdb841f023a546ebb56bc8ae81fb6f74b224cc.tar.bz2 mitmproxy-17fdb841f023a546ebb56bc8ae81fb6f74b224cc.zip | |
verify upstream certificates by default (#1111)
squashed and merged by @mhils
Diffstat (limited to 'test')
| -rw-r--r-- | test/mitmproxy/test_protocol_http2.py | 6 | ||||
| -rw-r--r-- | test/mitmproxy/test_proxy.py | 6 | ||||
| -rw-r--r-- | test/mitmproxy/test_server.py | 39 | ||||
| -rw-r--r-- | test/mitmproxy/tservers.py | 3 |
4 files changed, 31 insertions, 23 deletions
diff --git a/test/mitmproxy/test_protocol_http2.py b/test/mitmproxy/test_protocol_http2.py index aa096a72..f0fa9a40 100644 --- a/test/mitmproxy/test_protocol_http2.py +++ b/test/mitmproxy/test_protocol_http2.py @@ -102,7 +102,11 @@ class _Http2TestBase(object): @classmethod def get_options(cls): - opts = options.Options(listen_port=0, no_upstream_cert=False) + opts = options.Options( + listen_port=0, + no_upstream_cert=False, + ssl_insecure=True + ) opts.cadir = os.path.join(tempfile.gettempdir(), "mitmproxy") return opts diff --git a/test/mitmproxy/test_proxy.py b/test/mitmproxy/test_proxy.py index 6e790e28..84838018 100644 --- a/test/mitmproxy/test_proxy.py +++ b/test/mitmproxy/test_proxy.py @@ -146,9 +146,9 @@ class TestProcessProxyOptions: "--singleuser", "test") - def test_verify_upstream_cert(self): - p = self.assert_noerr("--verify-upstream-cert") - assert p.openssl_verification_mode_server == SSL.VERIFY_PEER + def test_insecure(self): + p = self.assert_noerr("--insecure") + assert p.openssl_verification_mode_server == SSL.VERIFY_NONE def test_upstream_trusted_cadir(self): expected_dir = "/path/to/a/ca/dir" diff --git a/test/mitmproxy/test_server.py b/test/mitmproxy/test_server.py index 6230fc1f..a6dffb69 100644 --- a/test/mitmproxy/test_server.py +++ b/test/mitmproxy/test_server.py @@ -2,7 +2,6 @@ import os import socket import time import types -from OpenSSL import SSL from netlib.exceptions import HttpReadDisconnect, HttpException from netlib.tcp import Address @@ -15,6 +14,7 @@ from pathod import pathoc, pathod from mitmproxy.builtins import script from mitmproxy import controller +from mitmproxy import options from mitmproxy.proxy.config import HostMatcher, parse_server_spec from mitmproxy.models import Error, HTTPResponse, HTTPFlow @@ -350,6 +350,15 @@ class TestHTTPSCertfile(tservers.HTTPProxyTest, CommonMixin): assert self.pathod("304") +class TestHTTPSSecureByDefault: + def test_secure_by_default(self): + """ + Certificate verification should be turned on by default. + """ + default_opts = options.Options() + assert not default_opts.ssl_insecure + + class TestHTTPSUpstreamServerVerificationWTrustedCert(tservers.HTTPProxyTest): """ @@ -360,11 +369,12 @@ class TestHTTPSUpstreamServerVerificationWTrustedCert(tservers.HTTPProxyTest): cn=b"trusted-cert", certs=[ ("trusted-cert", tutils.test_data.path("data/trusted-server.crt")) - ]) + ] + ) def test_verification_w_cadir(self): self.config.options.update( - ssl_verify_upstream_cert = True, + ssl_insecure = False, ssl_verify_upstream_trusted_cadir = tutils.test_data.path( "data/trusted-cadir/" ) @@ -372,10 +382,12 @@ class TestHTTPSUpstreamServerVerificationWTrustedCert(tservers.HTTPProxyTest): self.pathoc() def test_verification_w_pemfile(self): - self.config.openssl_verification_mode_server = SSL.VERIFY_PEER - self.config.options.ssl_verify_upstream_trusted_ca = tutils.test_data.path( - "data/trusted-cadir/trusted-ca.pem") - + self.config.options.update( + ssl_insecure = False, + ssl_verify_upstream_trusted_ca = tutils.test_data.path( + "data/trusted-cadir/trusted-ca.pem" + ), + ) self.pathoc() @@ -396,18 +408,9 @@ class TestHTTPSUpstreamServerVerificationWBadCert(tservers.HTTPProxyTest): # We need to make an actual request because the upstream connection is lazy-loaded. return p.request("get:/p/242") - def test_default_verification_w_bad_cert(self): - """Should use no verification.""" - self.config.options.update( - ssl_verify_upstream_trusted_ca = tutils.test_data.path( - "data/trusted-cadir/trusted-ca.pem" - ) - ) - assert self._request().status_code == 242 - def test_no_verification_w_bad_cert(self): self.config.options.update( - ssl_verify_upstream_cert = False, + ssl_insecure = True, ssl_verify_upstream_trusted_ca = tutils.test_data.path( "data/trusted-cadir/trusted-ca.pem" ) @@ -416,7 +419,7 @@ class TestHTTPSUpstreamServerVerificationWBadCert(tservers.HTTPProxyTest): def test_verification_w_bad_cert(self): self.config.options.update( - ssl_verify_upstream_cert = True, + ssl_insecure = False, ssl_verify_upstream_trusted_ca = tutils.test_data.path( "data/trusted-cadir/trusted-ca.pem" ) diff --git a/test/mitmproxy/tservers.py b/test/mitmproxy/tservers.py index d364162c..1597f59c 100644 --- a/test/mitmproxy/tservers.py +++ b/test/mitmproxy/tservers.py @@ -120,7 +120,8 @@ class ProxyTestBase(object): return options.Options( listen_port=0, cadir=cls.cadir, - add_upstream_certs_to_client_chain=cls.add_upstream_certs_to_client_chain + add_upstream_certs_to_client_chain=cls.add_upstream_certs_to_client_chain, + ssl_insecure=True, ) |