From 17fdb841f023a546ebb56bc8ae81fb6f74b224cc Mon Sep 17 00:00:00 2001
From: Sachin Kelkar <sachinkel19@gmail.com>
Date: Wed, 27 Jul 2016 17:57:38 -0700
Subject: verify upstream certificates by default (#1111)

squashed and merged by @mhils
---
 test/mitmproxy/test_protocol_http2.py |  6 +++++-
 test/mitmproxy/test_proxy.py          |  6 +++---
 test/mitmproxy/test_server.py         | 39 +++++++++++++++++++----------------
 test/mitmproxy/tservers.py            |  3 ++-
 4 files changed, 31 insertions(+), 23 deletions(-)

(limited to 'test')

diff --git a/test/mitmproxy/test_protocol_http2.py b/test/mitmproxy/test_protocol_http2.py
index aa096a72..f0fa9a40 100644
--- a/test/mitmproxy/test_protocol_http2.py
+++ b/test/mitmproxy/test_protocol_http2.py
@@ -102,7 +102,11 @@ class _Http2TestBase(object):
 
     @classmethod
     def get_options(cls):
-        opts = options.Options(listen_port=0, no_upstream_cert=False)
+        opts = options.Options(
+            listen_port=0,
+            no_upstream_cert=False,
+            ssl_insecure=True
+        )
         opts.cadir = os.path.join(tempfile.gettempdir(), "mitmproxy")
         return opts
 
diff --git a/test/mitmproxy/test_proxy.py b/test/mitmproxy/test_proxy.py
index 6e790e28..84838018 100644
--- a/test/mitmproxy/test_proxy.py
+++ b/test/mitmproxy/test_proxy.py
@@ -146,9 +146,9 @@ class TestProcessProxyOptions:
             "--singleuser",
             "test")
 
-    def test_verify_upstream_cert(self):
-        p = self.assert_noerr("--verify-upstream-cert")
-        assert p.openssl_verification_mode_server == SSL.VERIFY_PEER
+    def test_insecure(self):
+        p = self.assert_noerr("--insecure")
+        assert p.openssl_verification_mode_server == SSL.VERIFY_NONE
 
     def test_upstream_trusted_cadir(self):
         expected_dir = "/path/to/a/ca/dir"
diff --git a/test/mitmproxy/test_server.py b/test/mitmproxy/test_server.py
index 6230fc1f..a6dffb69 100644
--- a/test/mitmproxy/test_server.py
+++ b/test/mitmproxy/test_server.py
@@ -2,7 +2,6 @@ import os
 import socket
 import time
 import types
-from OpenSSL import SSL
 from netlib.exceptions import HttpReadDisconnect, HttpException
 from netlib.tcp import Address
 
@@ -15,6 +14,7 @@ from pathod import pathoc, pathod
 
 from mitmproxy.builtins import script
 from mitmproxy import controller
+from mitmproxy import options
 from mitmproxy.proxy.config import HostMatcher, parse_server_spec
 from mitmproxy.models import Error, HTTPResponse, HTTPFlow
 
@@ -350,6 +350,15 @@ class TestHTTPSCertfile(tservers.HTTPProxyTest, CommonMixin):
         assert self.pathod("304")
 
 
+class TestHTTPSSecureByDefault:
+    def test_secure_by_default(self):
+        """
+        Certificate verification should be turned on by default.
+        """
+        default_opts = options.Options()
+        assert not default_opts.ssl_insecure
+
+
 class TestHTTPSUpstreamServerVerificationWTrustedCert(tservers.HTTPProxyTest):
 
     """
@@ -360,11 +369,12 @@ class TestHTTPSUpstreamServerVerificationWTrustedCert(tservers.HTTPProxyTest):
         cn=b"trusted-cert",
         certs=[
             ("trusted-cert", tutils.test_data.path("data/trusted-server.crt"))
-        ])
+        ]
+    )
 
     def test_verification_w_cadir(self):
         self.config.options.update(
-            ssl_verify_upstream_cert = True,
+            ssl_insecure = False,
             ssl_verify_upstream_trusted_cadir = tutils.test_data.path(
                 "data/trusted-cadir/"
             )
@@ -372,10 +382,12 @@ class TestHTTPSUpstreamServerVerificationWTrustedCert(tservers.HTTPProxyTest):
         self.pathoc()
 
     def test_verification_w_pemfile(self):
-        self.config.openssl_verification_mode_server = SSL.VERIFY_PEER
-        self.config.options.ssl_verify_upstream_trusted_ca = tutils.test_data.path(
-            "data/trusted-cadir/trusted-ca.pem")
-
+        self.config.options.update(
+            ssl_insecure = False,
+            ssl_verify_upstream_trusted_ca = tutils.test_data.path(
+                "data/trusted-cadir/trusted-ca.pem"
+            ),
+        )
         self.pathoc()
 
 
@@ -396,18 +408,9 @@ class TestHTTPSUpstreamServerVerificationWBadCert(tservers.HTTPProxyTest):
         # We need to make an actual request because the upstream connection is lazy-loaded.
         return p.request("get:/p/242")
 
-    def test_default_verification_w_bad_cert(self):
-        """Should use no verification."""
-        self.config.options.update(
-            ssl_verify_upstream_trusted_ca = tutils.test_data.path(
-                "data/trusted-cadir/trusted-ca.pem"
-            )
-        )
-        assert self._request().status_code == 242
-
     def test_no_verification_w_bad_cert(self):
         self.config.options.update(
-            ssl_verify_upstream_cert = False,
+            ssl_insecure = True,
             ssl_verify_upstream_trusted_ca = tutils.test_data.path(
                 "data/trusted-cadir/trusted-ca.pem"
             )
@@ -416,7 +419,7 @@ class TestHTTPSUpstreamServerVerificationWBadCert(tservers.HTTPProxyTest):
 
     def test_verification_w_bad_cert(self):
         self.config.options.update(
-            ssl_verify_upstream_cert = True,
+            ssl_insecure = False,
             ssl_verify_upstream_trusted_ca = tutils.test_data.path(
                 "data/trusted-cadir/trusted-ca.pem"
             )
diff --git a/test/mitmproxy/tservers.py b/test/mitmproxy/tservers.py
index d364162c..1597f59c 100644
--- a/test/mitmproxy/tservers.py
+++ b/test/mitmproxy/tservers.py
@@ -120,7 +120,8 @@ class ProxyTestBase(object):
         return options.Options(
             listen_port=0,
             cadir=cls.cadir,
-            add_upstream_certs_to_client_chain=cls.add_upstream_certs_to_client_chain
+            add_upstream_certs_to_client_chain=cls.add_upstream_certs_to_client_chain,
+            ssl_insecure=True,
         )
 
 
-- 
cgit v1.2.3