def test_alpn_selection(self): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ctx = context.Context( connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) ctx.server.address = ("example.mitmproxy.org", 443) tls_start = tls.TlsStartData(ctx.server, context=ctx) def assert_alpn(http2, client_offers, expected): tctx.configure(ta, http2=http2) ctx.client.alpn_offers = client_offers ctx.server.alpn_offers = None ta.tls_start(tls_start) assert ctx.server.alpn_offers == expected assert_alpn(True, tls.HTTP_ALPNS + (b"foo", ), tls.HTTP_ALPNS + (b"foo", )) assert_alpn(False, tls.HTTP_ALPNS + (b"foo", ), tls.HTTP1_ALPNS + (b"foo", )) assert_alpn(True, [], tls.HTTP_ALPNS) assert_alpn(False, [], tls.HTTP1_ALPNS) ctx.client.timestamp_tls_setup = time.time() # make sure that we don't upgrade h1 to h2, # see comment in tlsconfig.py assert_alpn(True, [], [])
def test_create_client_proxy_ssl_conn(self, tdata): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ta.configure(["confdir"]) tctx.configure( ta, certs=[ tdata.path( "mitmproxy/net/data/verificationcerts/trusted-leaf.pem" ) ], ciphers_client="ECDHE-ECDSA-AES128-GCM-SHA256", ) ctx = context.Context( context.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) tctx.options.add_upstream_certs_to_client_chain = True tls_start = tls.TlsStartData(ctx.client, context=ctx) ta.tls_start(tls_start) tssl_server = tls_start.ssl_conn tssl_client = test_tls.SSLTest() assert self.do_handshake(tssl_client, tssl_server) assert tssl_client.obj.getpeercert()["subjectAltName"] == (( "DNS", "example.mitmproxy.org"), )
def test_tls_start_server_verify_ok(self, tdata): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) ctx.server.address = ("example.mitmproxy.org", 443) tctx.configure(ta, ssl_verify_upstream_trusted_ca=tdata.path( "mitmproxy/net/data/verificationcerts/trusted-root.crt")) tls_start = tls.TlsStartData(ctx.server, context=ctx) ta.tls_start_server(tls_start) tssl_client = tls_start.ssl_conn tssl_server = test_tls.SSLTest(server_side=True) assert self.do_handshake(tssl_client, tssl_server)
def test_tls_start_server_verify_failed(self): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) ctx.client.alpn_offers = [b"h2"] ctx.client.cipher_list = ["TLS_AES_256_GCM_SHA384", "ECDHE-RSA-AES128-SHA"] ctx.server.address = ("example.mitmproxy.org", 443) tls_start = tls.TlsStartData(ctx.server, context=ctx) ta.tls_start_server(tls_start) tssl_client = tls_start.ssl_conn tssl_server = test_tls.SSLTest(server_side=True) with pytest.raises(SSL.Error, match="certificate verify failed"): assert self.do_handshake(tssl_client, tssl_server)
def test_no_h2_proxy(self, tdata): """Do not negotiate h2 on the client<->proxy connection in secure web proxy mode, https://github.com/mitmproxy/mitmproxy/issues/4689""" ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: tctx.configure(ta, certs=[tdata.path("mitmproxy/net/data/verificationcerts/trusted-leaf.pem")]) ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) # mock up something that looks like a secure web proxy. ctx.layers = [ modes.HttpProxy(ctx), 123 ] tls_start = tls.TlsStartData(ctx.client, context=ctx) ta.tls_start_client(tls_start) assert tls_start.ssl_conn.get_app_data()["client_alpn"] == b"http/1.1"
def test_create_proxy_server_ssl_conn_insecure(self): ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: ctx = context.Context( connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) ctx.server.address = ("example.mitmproxy.org", 443) tctx.configure(ta, ssl_verify_upstream_trusted_ca=None, ssl_insecure=True, http2=False, ciphers_server="ALL") tls_start = tls.TlsStartData(ctx.server, context=ctx) ta.tls_start(tls_start) tssl_client = tls_start.ssl_conn tssl_server = test_tls.SSLTest(server_side=True) assert self.do_handshake(tssl_client, tssl_server)