mirror of
https://github.com/mitmproxy/mitmproxy.git
synced 2024-11-24 21:59:44 +00:00
remove certforward feature
The certforward feature was implemented to support #gotofail, which only works on unpatched iOS devices. Given that many apps don't support iOS 7 anymore, jailbreak+ssl killswitch is usually the better option. By removing certforward, we can make netlib a pure python module again, which significantly simplifies distribution.
This commit is contained in:
parent
876252eba8
commit
b369962cbe
@ -48,7 +48,6 @@ class ProxyConfig:
|
||||
ciphers_client=None,
|
||||
ciphers_server=None,
|
||||
certs=[],
|
||||
certforward=False,
|
||||
ssl_version_client=tcp.SSL_DEFAULT_METHOD,
|
||||
ssl_version_server=tcp.SSL_DEFAULT_METHOD,
|
||||
ssl_ports=TRANSPARENT_SSL_PORTS,
|
||||
@ -91,7 +90,6 @@ class ProxyConfig:
|
||||
CONF_BASENAME)
|
||||
for spec, cert in certs:
|
||||
self.certstore.add_cert_file(spec, cert)
|
||||
self.certforward = certforward
|
||||
self.ssl_ports = ssl_ports
|
||||
|
||||
if isinstance(ssl_version_client, int):
|
||||
@ -202,7 +200,6 @@ def process_proxy_options(parser, options):
|
||||
ciphers_client=options.ciphers_client,
|
||||
ciphers_server=options.ciphers_server,
|
||||
certs=certs,
|
||||
certforward=options.certforward,
|
||||
ssl_version_client=options.ssl_version_client,
|
||||
ssl_version_server=options.ssl_version_server,
|
||||
ssl_ports=ssl_ports,
|
||||
@ -225,11 +222,6 @@ def ssl_option_group(parser):
|
||||
'it is used, else the default key in the conf dir is used. '
|
||||
'The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. '
|
||||
'Can be passed multiple times.')
|
||||
group.add_argument(
|
||||
"--cert-forward", action="store_true",
|
||||
dest="certforward", default=False,
|
||||
help="Simply forward SSL certificates from upstream."
|
||||
)
|
||||
group.add_argument(
|
||||
"--ciphers-client", action="store",
|
||||
type=str, dest="ciphers_client", default=None,
|
||||
|
@ -303,29 +303,25 @@ class ConnectionHandler:
|
||||
self.channel.tell("log", Log(msg, level))
|
||||
|
||||
def find_cert(self):
|
||||
if self.config.certforward and self.server_conn.ssl_established:
|
||||
return self.server_conn.cert, self.config.certstore.gen_pkey(
|
||||
self.server_conn.cert), None
|
||||
else:
|
||||
host = self.server_conn.address.host
|
||||
sans = []
|
||||
if self.server_conn.ssl_established and (
|
||||
not self.config.no_upstream_cert):
|
||||
upstream_cert = self.server_conn.cert
|
||||
sans.extend(upstream_cert.altnames)
|
||||
if upstream_cert.cn:
|
||||
sans.append(host)
|
||||
host = upstream_cert.cn.decode("utf8").encode("idna")
|
||||
if self.server_conn.sni:
|
||||
sans.append(self.server_conn.sni)
|
||||
# for ssl spoof mode
|
||||
if hasattr(self.client_conn, "sni"):
|
||||
sans.append(self.client_conn.sni)
|
||||
host = self.server_conn.address.host
|
||||
sans = []
|
||||
if self.server_conn.ssl_established and (
|
||||
not self.config.no_upstream_cert):
|
||||
upstream_cert = self.server_conn.cert
|
||||
sans.extend(upstream_cert.altnames)
|
||||
if upstream_cert.cn:
|
||||
sans.append(host)
|
||||
host = upstream_cert.cn.decode("utf8").encode("idna")
|
||||
if self.server_conn.sni:
|
||||
sans.append(self.server_conn.sni)
|
||||
# for ssl spoof mode
|
||||
if hasattr(self.client_conn, "sni"):
|
||||
sans.append(self.client_conn.sni)
|
||||
|
||||
ret = self.config.certstore.get_cert(host, sans)
|
||||
if not ret:
|
||||
raise ProxyError(502, "Unable to generate dummy cert.")
|
||||
return ret
|
||||
ret = self.config.certstore.get_cert(host, sans)
|
||||
if not ret:
|
||||
raise ProxyError(502, "Unable to generate dummy cert.")
|
||||
return ret
|
||||
|
||||
def handle_sni(self, connection):
|
||||
"""
|
||||
|
@ -757,14 +757,6 @@ class TestIncompleteResponse(tservers.HTTPProxTest):
|
||||
assert self.pathod("200").status_code == 502
|
||||
|
||||
|
||||
class TestCertForward(tservers.HTTPProxTest):
|
||||
certforward = True
|
||||
ssl = True
|
||||
|
||||
def test_app_err(self):
|
||||
tutils.raises("handshake error", self.pathod, "200:b@100")
|
||||
|
||||
|
||||
class TestUpstreamProxy(tservers.HTTPUpstreamProxTest, CommonMixin, AppMixin):
|
||||
ssl = False
|
||||
|
||||
|
@ -89,7 +89,6 @@ class ProxTestBase(object):
|
||||
no_upstream_cert = False
|
||||
authenticator = None
|
||||
masterclass = TestMaster
|
||||
certforward = False
|
||||
|
||||
@classmethod
|
||||
def setupAll(cls):
|
||||
@ -131,7 +130,6 @@ class ProxTestBase(object):
|
||||
no_upstream_cert = cls.no_upstream_cert,
|
||||
cadir = cls.cadir,
|
||||
authenticator = cls.authenticator,
|
||||
certforward = cls.certforward,
|
||||
ssl_ports=([cls.server.port, cls.server2.port] if cls.ssl else []),
|
||||
clientcerts = tutils.test_data.path("data/clientcert") if cls.clientcerts else None
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user