def test_tls_start_client(self, tdata): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ta.configure(["confdir"]) tctx.configure( ta, certs=[ tdata.path( "mitmproxy/net/data/verificationcerts/trusted-leaf.pem" ) ], ciphers_client="ECDHE-ECDSA-AES128-GCM-SHA256", ) ctx = context.Context( connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) tls_start = tls.TlsData(ctx.client, context=ctx) ta.tls_start_client(tls_start) tssl_server = tls_start.ssl_conn # assert that a preexisting ssl_conn is not overwritten ta.tls_start_client(tls_start) assert tssl_server is tls_start.ssl_conn tssl_client = test_tls.SSLTest() assert self.do_handshake(tssl_client, tssl_server) assert tssl_client.obj.getpeercert()["subjectAltName"] == (( "DNS", "example.mitmproxy.org"), )
def test_tls_start_server_verify_ok(self, tdata): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) ctx.server.address = ("example.mitmproxy.org", 443) tctx.configure(ta, ssl_verify_upstream_trusted_ca=tdata.path( "mitmproxy/net/data/verificationcerts/trusted-root.crt")) tls_start = tls.TlsStartData(ctx.server, context=ctx) ta.tls_start_server(tls_start) tssl_client = tls_start.ssl_conn tssl_server = test_tls.SSLTest(server_side=True) assert self.do_handshake(tssl_client, tssl_server)
def test_tls_start_server_verify_failed(self): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) ctx.client.alpn_offers = [b"h2"] ctx.client.cipher_list = ["TLS_AES_256_GCM_SHA384", "ECDHE-RSA-AES128-SHA"] ctx.server.address = ("example.mitmproxy.org", 443) tls_start = tls.TlsData(ctx.server, context=ctx) ta.tls_start_server(tls_start) tssl_client = tls_start.ssl_conn tssl_server = test_tls.SSLTest(server_side=True) with pytest.raises(SSL.Error, match="certificate verify failed"): assert self.do_handshake(tssl_client, tssl_server)
def test_create_proxy_server_ssl_conn_insecure(self): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ctx = context.Context( connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) ctx.server.address = ("example.mitmproxy.org", 443) tctx.configure(ta, ssl_verify_upstream_trusted_ca=None, ssl_insecure=True, http2=False, ciphers_server="ALL") tls_start = tls.TlsStartData(ctx.server, context=ctx) ta.tls_start(tls_start) tssl_client = tls_start.ssl_conn tssl_server = test_tls.SSLTest(server_side=True) assert self.do_handshake(tssl_client, tssl_server)
def test_create_client_proxy_ssl_conn(self, tdata): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ta.configure(["confdir"]) tctx.configure( ta, certs=[ tdata.path( "mitmproxy/net/data/verificationcerts/trusted-leaf.pem" ) ]) ctx = context.Context( context.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) tctx.options.add_upstream_certs_to_client_chain = True tls_start = tls.TlsStartData(ctx.client, context=ctx) ta.tls_start(tls_start) tssl_server = tls_start.ssl_conn tssl_client = test_tls.SSLTest() assert self.do_handshake(tssl_client, tssl_server) assert tssl_client.obj.getpeercert()["subjectAltName"] == (( "DNS", "example.mitmproxy.org"), )