def test_get_cert(self, tdata):
"""Test that we generate a certificate matching the connection's context."""
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ta.configure(["confdir"])
ctx = context.Context(
connection.Client(("client", 1234), ("127.0.0.1", 8080),
1605699329), tctx.options)
# Edge case first: We don't have _any_ idea about the server, so we just return "mitmproxy" as subject.
entry = ta.get_cert(ctx)
assert entry.cert.cn == "mitmproxy"
# Here we have an existing server connection...
ctx.server.address = ("server-address.example", 443)
with open(
tdata.path(
"mitmproxy/net/data/verificationcerts/trusted-leaf.crt"
), "rb") as f:
ctx.server.certificate_list = [certs.Cert.from_pem(f.read())]
entry = ta.get_cert(ctx)
assert entry.cert.cn == "example.mitmproxy.org"
assert entry.cert.altnames == [
"example.mitmproxy.org", "server-address.example"
]
# And now we also incorporate SNI.
ctx.client.sni = "sni.example"
entry = ta.get_cert(ctx)
assert entry.cert.altnames == [
"example.mitmproxy.org", "sni.example"
]
def test_alpn_selection(self):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ctx = context.Context(
connection.Client(("client", 1234), ("127.0.0.1", 8080),
1605699329), tctx.options)
ctx.server.address = ("example.mitmproxy.org", 443)
tls_start = tls.TlsStartData(ctx.server, context=ctx)
def assert_alpn(http2, client_offers, expected):
tctx.configure(ta, http2=http2)
ctx.client.alpn_offers = client_offers
ctx.server.alpn_offers = None
ta.tls_start(tls_start)
assert ctx.server.alpn_offers == expected
assert_alpn(True, tls.HTTP_ALPNS + (b"foo", ),
tls.HTTP_ALPNS + (b"foo", ))
assert_alpn(False, tls.HTTP_ALPNS + (b"foo", ),
tls.HTTP1_ALPNS + (b"foo", ))
assert_alpn(True, [], tls.HTTP_ALPNS)
assert_alpn(False, [], tls.HTTP1_ALPNS)
ctx.client.timestamp_tls_setup = time.time()
# make sure that we don't upgrade h1 to h2,
# see comment in tlsconfig.py
assert_alpn(True, [], [])
async def test_ca_expired(self, monkeypatch):
monkeypatch.setattr(certs.Cert, "has_expired", lambda self: True)
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ta.configure(["confdir"])
await tctx.master.await_log(
"The mitmproxy certificate authority has expired", "warn")
def default_addons():
return [
core.Core(),
browser.Browser(),
block.Block(),
anticache.AntiCache(),
anticomp.AntiComp(),
check_ca.CheckCA(),
clientplayback.ClientPlayback(),
command_history.CommandHistory(),
cut.Cut(),
disable_h2c.DisableH2C(),
export.Export(),
next_layer.NextLayer(),
onboarding.Onboarding(),
proxyauth.ProxyAuth(),
proxyserver.Proxyserver(),
script.ScriptLoader(),
serverplayback.ServerPlayback(),
mapremote.MapRemote(),
maplocal.MapLocal(),
modifybody.ModifyBody(),
modifyheaders.ModifyHeaders(),
stickyauth.StickyAuth(),
stickycookie.StickyCookie(),
streambodies.StreamBodies(),
save.Save(),
tlsconfig.TlsConfig(),
upstream_auth.UpstreamAuth(),
]
def test_tls_start_client(self, tdata):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ta.configure(["confdir"])
tctx.configure(
ta,
certs=[
tdata.path(
"mitmproxy/net/data/verificationcerts/trusted-leaf.pem"
)
],
ciphers_client="ECDHE-ECDSA-AES128-GCM-SHA256",
)
ctx = context.Context(
connection.Client(("client", 1234), ("127.0.0.1", 8080),
1605699329), tctx.options)
tls_start = tls.TlsData(ctx.client, context=ctx)
ta.tls_start_client(tls_start)
tssl_server = tls_start.ssl_conn
# assert that a preexisting ssl_conn is not overwritten
ta.tls_start_client(tls_start)
assert tssl_server is tls_start.ssl_conn
tssl_client = test_tls.SSLTest()
assert self.do_handshake(tssl_client, tssl_server)
assert tssl_client.obj.getpeercert()["subjectAltName"] == ((
"DNS", "example.mitmproxy.org"), )
def test_tls_clienthello(self):
# only really testing for coverage here, there's no point in mirroring the individual conditions
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ctx = context.Context(context.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options)
ch = tls.ClientHelloData(ctx)
ta.tls_clienthello(ch)
assert not ch.establish_server_tls_first
def test_configure(self, tdata):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
with pytest.raises(Exception, match="file does not exist"):
tctx.configure(ta, certs=["*=nonexistent"])
with pytest.raises(Exception, match="Invalid certificate format"):
tctx.configure(ta, certs=[tdata.path("mitmproxy/net/data/verificationcerts/trusted-leaf.key")])
assert not ta.certstore.certs
tctx.configure(ta, certs=[tdata.path("mitmproxy/net/data/verificationcerts/trusted-leaf.pem")])
assert ta.certstore.certs
def test_create_proxy_server_ssl_conn_verify_ok(self, tdata):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ctx = context.Context(context.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options)
ctx.server.address = ("example.mitmproxy.org", 443)
tctx.configure(ta, ssl_verify_upstream_trusted_ca=tdata.path(
"mitmproxy/net/data/verificationcerts/trusted-root.crt"))
tls_start = tls.TlsStartData(ctx.server, context=ctx)
ta.tls_start(tls_start)
tssl_client = tls_start.ssl_conn
tssl_server = test_tls.SSLTest(server_side=True)
assert self.do_handshake(tssl_client, tssl_server)
def test_create_proxy_server_ssl_conn_verify_failed(self):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ctx = context.Context(context.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options)
ctx.client.alpn_offers = [b"h2"]
ctx.client.cipher_list = ["TLS_AES_256_GCM_SHA384", "ECDHE-RSA-AES128-SHA"]
ctx.server.address = ("example.mitmproxy.org", 443)
tls_start = tls.TlsStartData(ctx.server, context=ctx)
ta.tls_start(tls_start)
tssl_client = tls_start.ssl_conn
tssl_server = test_tls.SSLTest(server_side=True)
with pytest.raises(SSL.Error, match="certificate verify failed"):
assert self.do_handshake(tssl_client, tssl_server)
def test_create_client_proxy_ssl_conn(self, tdata):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ta.configure(["confdir"])
tctx.configure(ta, certs=[tdata.path("mitmproxy/net/data/verificationcerts/trusted-leaf.pem")])
ctx = context.Context(context.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options)
tctx.options.add_upstream_certs_to_client_chain = True
tls_start = tls.TlsStartData(ctx.client, context=ctx)
ta.tls_start(tls_start)
tssl_server = tls_start.ssl_conn
tssl_client = test_tls.SSLTest()
assert self.do_handshake(tssl_client, tssl_server)
assert tssl_client.obj.getpeercert()["subjectAltName"] == (("DNS", "example.mitmproxy.org"),)
def test_no_h2_proxy(self, tdata):
"""Do not negotiate h2 on the client<->proxy connection in secure web proxy mode,
https://github.com/mitmproxy/mitmproxy/issues/4689"""
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
tctx.configure(ta, certs=[tdata.path("mitmproxy/net/data/verificationcerts/trusted-leaf.pem")])
ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options)
# mock up something that looks like a secure web proxy.
ctx.layers = [
modes.HttpProxy(ctx),
123
]
tls_start = tls.TlsData(ctx.client, context=ctx)
ta.tls_start_client(tls_start)
assert tls_start.ssl_conn.get_app_data()["client_alpn"] == b"http/1.1"
def test_create_proxy_server_ssl_conn_insecure(self):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ctx = context.Context(
connection.Client(("client", 1234), ("127.0.0.1", 8080),
1605699329), tctx.options)
ctx.server.address = ("example.mitmproxy.org", 443)
tctx.configure(ta,
ssl_verify_upstream_trusted_ca=None,
ssl_insecure=True,
http2=False,
ciphers_server="ALL")
tls_start = tls.TlsStartData(ctx.server, context=ctx)
ta.tls_start(tls_start)
tssl_client = tls_start.ssl_conn
tssl_server = test_tls.SSLTest(server_side=True)
assert self.do_handshake(tssl_client, tssl_server)
