diff options
| author | Maximilian Hils <git@maximilianhils.com> | 2017-09-04 17:32:49 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-04 17:32:49 +0200 |
| commit | 68fab8bd92c87f5c91f94c8837477418d5b5ea3e (patch) | |
| tree | f240abdb8032eb47c7471522cdfca428d1b1ca9c /test | |
| parent | 96854cff528ebc9ef2576b3d55f712f28626ff84 (diff) | |
| parent | de006ea8adc08b9a8a6aa94eda2b30468727c307 (diff) | |
| download | mitmproxy-68fab8bd92c87f5c91f94c8837477418d5b5ea3e.tar.gz mitmproxy-68fab8bd92c87f5c91f94c8837477418d5b5ea3e.tar.bz2 mitmproxy-68fab8bd92c87f5c91f94c8837477418d5b5ea3e.zip | |
Merge pull request #2560 from mhils/mitmproxy-net-tls
Split TLS parts from net.tcp into net.tls
Diffstat (limited to 'test')
| -rw-r--r-- | test/mitmproxy/net/test_tcp.py | 84 | ||||
| -rw-r--r-- | test/mitmproxy/net/test_tls.py | 55 | ||||
| -rw-r--r-- | test/mitmproxy/proxy/test_server.py | 2 |
3 files changed, 74 insertions, 67 deletions
diff --git a/test/mitmproxy/net/test_tcp.py b/test/mitmproxy/net/test_tcp.py index 3345840e..9d521533 100644 --- a/test/mitmproxy/net/test_tcp.py +++ b/test/mitmproxy/net/test_tcp.py @@ -206,7 +206,7 @@ class TestInvalidTrustFile(tservers.ServerTestBase): with pytest.raises(exceptions.TlsException): c.convert_to_ssl( sni="example.mitmproxy.org", - verify_options=SSL.VERIFY_PEER, + verify=SSL.VERIFY_PEER, ca_pemfile=tutils.test_data.path("mitmproxy/net/data/verificationcerts/generate.py") ) @@ -236,7 +236,7 @@ class TestSSLUpstreamCertVerificationWBadServerCert(tservers.ServerTestBase): def test_mode_none_should_pass(self): c = tcp.TCPClient(("127.0.0.1", self.port)) with c.connect(): - c.convert_to_ssl(verify_options=SSL.VERIFY_NONE) + c.convert_to_ssl(verify=SSL.VERIFY_NONE) # Verification errors should be saved even if connection isn't aborted assert c.ssl_verification_error @@ -252,7 +252,7 @@ class TestSSLUpstreamCertVerificationWBadServerCert(tservers.ServerTestBase): with pytest.raises(exceptions.InvalidCertificateException): c.convert_to_ssl( sni="example.mitmproxy.org", - verify_options=SSL.VERIFY_PEER, + verify=SSL.VERIFY_PEER, ca_pemfile=tutils.test_data.path("mitmproxy/net/data/verificationcerts/trusted-root.crt") ) @@ -276,17 +276,27 @@ class TestSSLUpstreamCertVerificationWBadHostname(tservers.ServerTestBase): with c.connect(): with pytest.raises(exceptions.TlsException): c.convert_to_ssl( - verify_options=SSL.VERIFY_PEER, + verify=SSL.VERIFY_PEER, ca_pemfile=tutils.test_data.path("mitmproxy/net/data/verificationcerts/trusted-root.crt") ) + def test_mode_none_should_pass_without_sni(self): + c = tcp.TCPClient(("127.0.0.1", self.port)) + with c.connect(): + c.convert_to_ssl( + verify=SSL.VERIFY_NONE, + ca_path=tutils.test_data.path("mitmproxy/net/data/verificationcerts/") + ) + + assert "'no-hostname' doesn't match" in str(c.ssl_verification_error) + def test_should_fail(self): c = tcp.TCPClient(("127.0.0.1", self.port)) with c.connect(): with pytest.raises(exceptions.InvalidCertificateException): c.convert_to_ssl( sni="mitmproxy.org", - verify_options=SSL.VERIFY_PEER, + verify=SSL.VERIFY_PEER, ca_pemfile=tutils.test_data.path("mitmproxy/net/data/verificationcerts/trusted-root.crt") ) assert c.ssl_verification_error @@ -305,7 +315,7 @@ class TestSSLUpstreamCertVerificationWValidCertChain(tservers.ServerTestBase): with c.connect(): c.convert_to_ssl( sni="example.mitmproxy.org", - verify_options=SSL.VERIFY_PEER, + verify=SSL.VERIFY_PEER, ca_pemfile=tutils.test_data.path("mitmproxy/net/data/verificationcerts/trusted-root.crt") ) @@ -321,7 +331,7 @@ class TestSSLUpstreamCertVerificationWValidCertChain(tservers.ServerTestBase): with c.connect(): c.convert_to_ssl( sni="example.mitmproxy.org", - verify_options=SSL.VERIFY_PEER, + verify=SSL.VERIFY_PEER, ca_path=tutils.test_data.path("mitmproxy/net/data/verificationcerts/") ) @@ -774,10 +784,7 @@ class TestPeek(tservers.ServerTestBase): c.close() with pytest.raises(exceptions.NetlibException): - if c.rfile.peek(1) == b"": - # Workaround for Python 2 on Unix: - # Peeking a closed connection does not raise an exception here. - raise exceptions.NetlibException() + c.rfile.peek(1) class TestPeekSSL(TestPeek): @@ -787,58 +794,3 @@ class TestPeekSSL(TestPeek): with c.connect() as conn: c.convert_to_ssl() return conn.pop() - - -class TestSSLKeyLogger(tservers.ServerTestBase): - handler = EchoHandler - ssl = dict( - cipher_list="AES256-SHA" - ) - - def test_log(self, tmpdir): - testval = b"echo!\n" - _logfun = tcp.log_ssl_key - - logfile = str(tmpdir.join("foo", "bar", "logfile")) - tcp.log_ssl_key = tcp.SSLKeyLogger(logfile) - - c = tcp.TCPClient(("127.0.0.1", self.port)) - with c.connect(): - c.convert_to_ssl() - c.wfile.write(testval) - c.wfile.flush() - assert c.rfile.readline() == testval - c.finish() - - tcp.log_ssl_key.close() - with open(logfile, "rb") as f: - assert f.read().count(b"CLIENT_RANDOM") == 2 - - tcp.log_ssl_key = _logfun - - def test_create_logfun(self): - assert isinstance( - tcp.SSLKeyLogger.create_logfun("test"), - tcp.SSLKeyLogger) - assert not tcp.SSLKeyLogger.create_logfun(False) - - -class TestSSLInvalid(tservers.ServerTestBase): - handler = EchoHandler - ssl = True - - def test_invalid_ssl_method_should_fail(self): - fake_ssl_method = 100500 - c = tcp.TCPClient(("127.0.0.1", self.port)) - with c.connect(): - with pytest.raises(exceptions.TlsException): - c.convert_to_ssl(method=fake_ssl_method) - - def test_alpn_error(self): - c = tcp.TCPClient(("127.0.0.1", self.port)) - with c.connect(): - with pytest.raises(exceptions.TlsException, match="must be a function"): - c.create_ssl_context(alpn_select_callback="foo") - - with pytest.raises(exceptions.TlsException, match="ALPN error"): - c.create_ssl_context(alpn_select="foo", alpn_select_callback="bar") diff --git a/test/mitmproxy/net/test_tls.py b/test/mitmproxy/net/test_tls.py new file mode 100644 index 00000000..d0583d34 --- /dev/null +++ b/test/mitmproxy/net/test_tls.py @@ -0,0 +1,55 @@ +import pytest + +from mitmproxy import exceptions +from mitmproxy.net import tls +from mitmproxy.net.tcp import TCPClient +from test.mitmproxy.net.test_tcp import EchoHandler +from . import tservers + + +class TestMasterSecretLogger(tservers.ServerTestBase): + handler = EchoHandler + ssl = dict( + cipher_list="AES256-SHA" + ) + + def test_log(self, tmpdir): + testval = b"echo!\n" + _logfun = tls.log_master_secret + + logfile = str(tmpdir.join("foo", "bar", "logfile")) + tls.log_master_secret = tls.MasterSecretLogger(logfile) + + c = TCPClient(("127.0.0.1", self.port)) + with c.connect(): + c.convert_to_ssl() + c.wfile.write(testval) + c.wfile.flush() + assert c.rfile.readline() == testval + c.finish() + + tls.log_master_secret.close() + with open(logfile, "rb") as f: + assert f.read().count(b"CLIENT_RANDOM") == 2 + + tls.log_master_secret = _logfun + + def test_create_logfun(self): + assert isinstance( + tls.MasterSecretLogger.create_logfun("test"), + tls.MasterSecretLogger) + assert not tls.MasterSecretLogger.create_logfun(False) + + +class TestTLSInvalid: + def test_invalid_ssl_method_should_fail(self): + fake_ssl_method = 100500 + with pytest.raises(exceptions.TlsException): + tls.create_client_context(method=fake_ssl_method) + + def test_alpn_error(self): + with pytest.raises(exceptions.TlsException, match="must be a function"): + tls.create_client_context(alpn_select_callback="foo") + + with pytest.raises(exceptions.TlsException, match="ALPN error"): + tls.create_client_context(alpn_select="foo", alpn_select_callback="bar") diff --git a/test/mitmproxy/proxy/test_server.py b/test/mitmproxy/proxy/test_server.py index 562f822c..affdf221 100644 --- a/test/mitmproxy/proxy/test_server.py +++ b/test/mitmproxy/proxy/test_server.py @@ -468,7 +468,7 @@ class TestHTTPSUpstreamServerVerificationWBadCert(tservers.HTTPProxyTest): self.options.ssl_insecure = False r = self._request() assert r.status_code == 502 - assert b"Certificate Verification Error" in r.raw_content + assert b"Certificate verification error" in r.raw_content class TestHTTPSNoCommonName(tservers.HTTPProxyTest): |