diff options
| -rw-r--r-- | .travis.yml | 2 | ||||
| -rw-r--r-- | mitmproxy/protocol/tls.py | 26 | ||||
| -rw-r--r-- | mitmproxy/proxy/config.py | 10 |
3 files changed, 24 insertions, 14 deletions
diff --git a/.travis.yml b/.travis.yml index fb579ac1..435c2ff8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -46,7 +46,7 @@ install: before_script: - "openssl version -a" - "python -c \"from OpenSSL import SSL; print(SSL.SSLeay_version(SSL.SSLEAY_VERSION))\"" - - "[[ $(flake8 -qq --count --exit-zero mitmproxy netlib pathod examples test) -le 12 ]]" + - "[[ $(flake8 -qq --count --exit-zero mitmproxy netlib pathod examples test) -le 3 ]]" script: - "py.test --timeout 60 --cov netlib --cov mitmproxy --cov pathod ./test/$SCOPE" diff --git a/mitmproxy/protocol/tls.py b/mitmproxy/protocol/tls.py index 5facff73..e0699562 100644 --- a/mitmproxy/protocol/tls.py +++ b/mitmproxy/protocol/tls.py @@ -273,9 +273,9 @@ class TlsClientHello(object): def sni(self): for extension in self._client_hello.extensions: is_valid_sni_extension = ( - extension.type == 0x00 - and len(extension.server_names) == 1 - and extension.server_names[0].type == 0 + extension.type == 0x00 and + len(extension.server_names) == 1 and + extension.server_names[0].type == 0 ) if is_valid_sni_extension: return extension.server_names[0].name @@ -362,17 +362,17 @@ class TlsLayer(Layer): # what is supported by the server # 2.5 The client did not sent a SNI value, we don't know the certificate subject. client_tls_requires_server_connection = ( - self._server_tls - and not self.config.no_upstream_cert - and ( - self.config.add_upstream_certs_to_client_chain - or self._client_hello.alpn_protocols - or not self._client_hello.sni + self._server_tls and + not self.config.no_upstream_cert and + ( + self.config.add_upstream_certs_to_client_chain or + self._client_hello.alpn_protocols or + not self._client_hello.sni ) ) establish_server_tls_now = ( - (self.server_conn and self._server_tls) - or client_tls_requires_server_connection + (self.server_conn and self._server_tls) or + client_tls_requires_server_connection ) if self._client_tls and establish_server_tls_now: @@ -508,7 +508,9 @@ class TlsLayer(Layer): # We only support http/1.1 and h2. # If the server only supports spdy (next to http/1.1), it may select that # and mitmproxy would enter TCP passthrough mode, which we want to avoid. - deprecated_http2_variant = lambda x: x.startswith(b"h2-") or x.startswith(b"spdy") + def deprecated_http2_variant(x): + return x.startswith(b"h2-") or x.startswith(b"spdy") + if self._client_hello.alpn_protocols: alpn = [x for x in self._client_hello.alpn_protocols if not deprecated_http2_variant(x)] else: diff --git a/mitmproxy/proxy/config.py b/mitmproxy/proxy/config.py index 5587e111..b08470bd 100644 --- a/mitmproxy/proxy/config.py +++ b/mitmproxy/proxy/config.py @@ -17,7 +17,15 @@ CA_DIR = "~/.mitmproxy" # We manually need to specify this, otherwise OpenSSL may select a non-HTTP2 cipher by default. # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.15&openssl=1.0.2&hsts=yes&profile=old -DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" +DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:" \ + "ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:" \ + "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:" \ + "ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:" \ + "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:" \ + "DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:" \ + "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:" \ + "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:" \ + "!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" class HostMatcher(object): |