remove certforward feature

The certforward feature was implemented to support #gotofail,
which only works on unpatched iOS devices. Given that many apps don't
support iOS 7 anymore, jailbreak+ssl killswitch is usually the better option.
By removing certforward, we can make netlib a pure python module again,
which significantly simplifies distribution.
This commit is contained in:
Maximilian Hils 2015-06-26 13:27:40 +02:00
parent 876252eba8
commit b369962cbe
4 changed files with 18 additions and 40 deletions

View File

@ -48,7 +48,6 @@ class ProxyConfig:
ciphers_client=None,
ciphers_server=None,
certs=[],
certforward=False,
ssl_version_client=tcp.SSL_DEFAULT_METHOD,
ssl_version_server=tcp.SSL_DEFAULT_METHOD,
ssl_ports=TRANSPARENT_SSL_PORTS,
@ -91,7 +90,6 @@ class ProxyConfig:
CONF_BASENAME)
for spec, cert in certs:
self.certstore.add_cert_file(spec, cert)
self.certforward = certforward
self.ssl_ports = ssl_ports
if isinstance(ssl_version_client, int):
@ -202,7 +200,6 @@ def process_proxy_options(parser, options):
ciphers_client=options.ciphers_client,
ciphers_server=options.ciphers_server,
certs=certs,
certforward=options.certforward,
ssl_version_client=options.ssl_version_client,
ssl_version_server=options.ssl_version_server,
ssl_ports=ssl_ports,
@ -225,11 +222,6 @@ def ssl_option_group(parser):
'it is used, else the default key in the conf dir is used. '
'The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. '
'Can be passed multiple times.')
group.add_argument(
"--cert-forward", action="store_true",
dest="certforward", default=False,
help="Simply forward SSL certificates from upstream."
)
group.add_argument(
"--ciphers-client", action="store",
type=str, dest="ciphers_client", default=None,

View File

@ -303,29 +303,25 @@ class ConnectionHandler:
self.channel.tell("log", Log(msg, level))
def find_cert(self):
if self.config.certforward and self.server_conn.ssl_established:
return self.server_conn.cert, self.config.certstore.gen_pkey(
self.server_conn.cert), None
else:
host = self.server_conn.address.host
sans = []
if self.server_conn.ssl_established and (
not self.config.no_upstream_cert):
upstream_cert = self.server_conn.cert
sans.extend(upstream_cert.altnames)
if upstream_cert.cn:
sans.append(host)
host = upstream_cert.cn.decode("utf8").encode("idna")
if self.server_conn.sni:
sans.append(self.server_conn.sni)
# for ssl spoof mode
if hasattr(self.client_conn, "sni"):
sans.append(self.client_conn.sni)
host = self.server_conn.address.host
sans = []
if self.server_conn.ssl_established and (
not self.config.no_upstream_cert):
upstream_cert = self.server_conn.cert
sans.extend(upstream_cert.altnames)
if upstream_cert.cn:
sans.append(host)
host = upstream_cert.cn.decode("utf8").encode("idna")
if self.server_conn.sni:
sans.append(self.server_conn.sni)
# for ssl spoof mode
if hasattr(self.client_conn, "sni"):
sans.append(self.client_conn.sni)
ret = self.config.certstore.get_cert(host, sans)
if not ret:
raise ProxyError(502, "Unable to generate dummy cert.")
return ret
ret = self.config.certstore.get_cert(host, sans)
if not ret:
raise ProxyError(502, "Unable to generate dummy cert.")
return ret
def handle_sni(self, connection):
"""

View File

@ -757,14 +757,6 @@ class TestIncompleteResponse(tservers.HTTPProxTest):
assert self.pathod("200").status_code == 502
class TestCertForward(tservers.HTTPProxTest):
certforward = True
ssl = True
def test_app_err(self):
tutils.raises("handshake error", self.pathod, "200:b@100")
class TestUpstreamProxy(tservers.HTTPUpstreamProxTest, CommonMixin, AppMixin):
ssl = False

View File

@ -89,7 +89,6 @@ class ProxTestBase(object):
no_upstream_cert = False
authenticator = None
masterclass = TestMaster
certforward = False
@classmethod
def setupAll(cls):
@ -131,7 +130,6 @@ class ProxTestBase(object):
no_upstream_cert = cls.no_upstream_cert,
cadir = cls.cadir,
authenticator = cls.authenticator,
certforward = cls.certforward,
ssl_ports=([cls.server.port, cls.server2.port] if cls.ssl else []),
clientcerts = tutils.test_data.path("data/clientcert") if cls.clientcerts else None
)