From e7f3bfda23015d96712f1350dc09a38a5c67ac7d Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Tue, 16 Jul 2024 15:43:59 +0200
Subject: [PATCH] handle certificate parsing errors more gracefully, fix #6968
 (#6994)

* handle certificate parsing errors more gracefully, fix #6968

* [autofix.ci] apply automated fixes

* fixup

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
---
 CHANGELOG.md                  |  2 ++
 mitmproxy/proxy/layers/tls.py | 14 +++++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6de242ee6..fc292b0a2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,8 @@
   ([#6921](https://github.com/mitmproxy/mitmproxy/pull/6921), @zendai)
 * Add `HttpConnectedHook` and `HttpConnectErrorHook`.
   ([#6930](https://github.com/mitmproxy/mitmproxy/pull/6930), @errorxyz)
+* Handle certificates we cannot parse more gracefully.
+  ([#6994](https://github.com/mitmproxy/mitmproxy/pull/6994), @mhils)
 * Parse compressed domain names in ResourceRecord data
   ([#6954](https://github.com/mitmproxy/mitmproxy/pull/6954), @errorxyz)
 * Fix a bug where mitmweb's flow list would not stay at the bottom.
diff --git a/mitmproxy/proxy/layers/tls.py b/mitmproxy/proxy/layers/tls.py
index 3b006becb..4877031a5 100644
--- a/mitmproxy/proxy/layers/tls.py
+++ b/mitmproxy/proxy/layers/tls.py
@@ -360,12 +360,20 @@ class TLSLayer(tunnel.TunnelLayer):
                 cert = self.tls.get_peer_certificate()
                 if cert:
                     all_certs.insert(0, cert)
+            self.conn.certificate_list = []
+            for cert in all_certs:
+                try:
+                    # This may fail for weird certs, https://github.com/mitmproxy/mitmproxy/issues/6968.
+                    parsed_cert = certs.Cert.from_pyopenssl(cert)
+                except ValueError as e:
+                    yield commands.Log(
+                        f"{self.debug}[tls] failed to parse certificate: {e}", WARNING
+                    )
+                else:
+                    self.conn.certificate_list.append(parsed_cert)
 
             self.conn.timestamp_tls_setup = time.time()
             self.conn.alpn = self.tls.get_alpn_proto_negotiated()
-            self.conn.certificate_list = [
-                certs.Cert.from_pyopenssl(x) for x in all_certs
-            ]
             self.conn.cipher = self.tls.get_cipher_name()
             self.conn.tls_version = self.tls.get_protocol_version_name()
             if self.debug: