def next_layer(next_layer):
    """
    This hook does the actual magic - if the next layer is planned to be a TLS layer,
    we check if we want to enter pass-through mode instead.
    """
    if isinstance(next_layer, TlsLayer) and next_layer._client_tls:
        server_address = next_layer.server_conn.address

        global tls_intercept_en
        if not tls_intercept_en:
            timestamp = '[{}] '.format(datetime.today())
            mitmproxy.ctx.log(
                timestamp +
                "TLS intercept is disabled! Skipping TLS interception for %s "
                % str(server_address))
            next_layer_replacement = RawTCPLayer(next_layer.ctx, ignore=True)
            next_layer.reply.send(next_layer_replacement)
            # tls_strategy.record_skipped(server_address)
            return

        #cert = next_layer._find_cert())
        hostname, _ = tls_strategy.getAssociatedDomain(server_address[0])

        timestamp = '[{}] '.format(datetime.today())
        if hostname:
            mitmproxy.ctx.log(timestamp +
                              "Deciding TLS strategy for %s mapped to %s " %
                              (str(server_address), hostname))
        else:
            mitmproxy.ctx.log(timestamp + "Deciding TLS strategy for %s " %
                              str(server_address))

        if not tls_strategy:
            mitmproxy.ctx.log(
                "tls_strategy is None for %s" %
                repr(next_layer.server_conn.address), "info")
            return

        if tls_strategy.should_intercept(server_address):
            # We try to intercept.
            # Monkey-Patch the layer to get feedback from the TLSLayer if interception worked.
            next_layer.__class__ = TlsFeedback
        else:
            # We don't intercept - reply with a pass-through layer and add a "skipped" entry.
            timestamp = '[{}] '.format(datetime.today())
            if hostname:
                mitmproxy.ctx.log(
                    timestamp + "TLS passthrough for %s mapped to %s" %
                    (repr(next_layer.server_conn.address), hostname), "info")
            else:
                mitmproxy.ctx.log(
                    timestamp + "TLS passthrough for %s" %
                    repr(next_layer.server_conn.address), "info")
            next_layer_replacement = RawTCPLayer(next_layer.ctx, ignore=True)
            next_layer.reply.send(next_layer_replacement)
Beispiel #2
0
def next_layer(next_layer):
    if isinstance(next_layer, TlsLayer) and next_layer._client_tls:
        server_address = next_layer.server_conn.address
        host = server_address[0]
        if not host in server_address_watch:
            next_layer_replacement = RawTCPLayer(next_layer.ctx, ignore=True)
            next_layer.reply.send(next_layer_replacement)
Beispiel #3
0
def next_layer(layer):
    '''
    mitmproxy wasn't really meant for intercepting raw tcp streams, it tries to wrap the
    upsteam connection (the one to the worker) in a tls stream. This hook intercepts the
    part where it creates the TlsLayer (it happens in root_context.py) and instead creates
    a RawTCPLayer. That's the layer which calls our tcp_message hook
    '''
    if isinstance(layer, TlsLayer):
        replacement = RawTCPLayer(layer.ctx)
        layer.reply.send(replacement)
def next_layer(next_layer):
    """
    This hook does the actual magic - if the next layer is planned to be a TLS layer,
    we check if we want to enter pass-through mode instead.
    """
    if isinstance(next_layer, TlsLayer) and next_layer._client_tls:
        server_address = next_layer.server_conn.address
        assert not is_rpc_call(server_address)

        # We don't intercept - reply with a pass-through layer and add a "skipped" entry.
        next_layer_replacement = RawTCPLayer(next_layer.ctx, ignore=True)
        next_layer.reply.send(next_layer_replacement)
        tls_strategy.record_skipped(server_address)
Beispiel #5
0
def next_layer(next_layer):
    """
    This hook does the actual magic - if the next layer is planned to be a TLS layer,
    we check if we want to enter pass-through mode instead.
    """
    if isinstance(next_layer, TlsLayer) and next_layer._client_tls:
        server_address = next_layer.server_conn.address

        if tls_strategy.should_intercept(server_address):
            # We try to intercept.
            # Monkey-Patch the layer to get feedback from the TLSLayer if interception worked.
            next_layer.__class__ = TlsFeedback
        else:
            # We don't intercept - reply with a pass-through layer and add a "skipped" entry.
            mitmproxy.ctx.log("TLS passthrough for %s" % repr(next_layer.server_conn.address), "info")
            next_layer_replacement = RawTCPLayer(next_layer.ctx, ignore=True)
            next_layer.reply.send(next_layer_replacement)
            tls_strategy.record_skipped(server_address)
Beispiel #6
0
def do_passthru(client_addr, server_addr, fqdns, layer):
    flex_port = None
    if is_flex_domain(client_addr, server_addr, fqdns):
        flex_port = passthru_flex_port(client_addr, fqdns[0])
        if flex_port:
            if log_debug:
                bubble_log.debug(
                    'do_passthru: applying flex passthru for server=' +
                    server_addr + ', fqdns=' + str(fqdns))
            layer_replacement = BubbleFlexPassthruLayer(
                layer.ctx, ('127.0.0.1', flex_port), fqdns[0], 443)
            layer.reply.send(layer_replacement)
        else:
            if log_debug:
                bubble_log.debug(
                    'do_passthru: detected flex passthru but no flex routers available for server='
                    + server_addr + ', fqdns=' + str(fqdns))
    if flex_port is None:
        layer_replacement = RawTCPLayer(layer.ctx, ignore=True)
        layer.reply.send(layer_replacement)