def test_tls_start_client(self, tdata):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ta.configure(["confdir"])
tctx.configure(
ta,
certs=[
tdata.path(
"mitmproxy/net/data/verificationcerts/trusted-leaf.pem"
)
],
ciphers_client="ECDHE-ECDSA-AES128-GCM-SHA256",
)
ctx = context.Context(
connection.Client(("client", 1234), ("127.0.0.1", 8080),
1605699329), tctx.options)
tls_start = tls.TlsData(ctx.client, context=ctx)
ta.tls_start_client(tls_start)
tssl_server = tls_start.ssl_conn
# assert that a preexisting ssl_conn is not overwritten
ta.tls_start_client(tls_start)
assert tssl_server is tls_start.ssl_conn
tssl_client = test_tls.SSLTest()
assert self.do_handshake(tssl_client, tssl_server)
assert tssl_client.obj.getpeercert()["subjectAltName"] == ((
"DNS", "example.mitmproxy.org"), )
def test_tls_start_server_verify_ok(self, tdata):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options)
ctx.server.address = ("example.mitmproxy.org", 443)
tctx.configure(ta, ssl_verify_upstream_trusted_ca=tdata.path(
"mitmproxy/net/data/verificationcerts/trusted-root.crt"))
tls_start = tls.TlsStartData(ctx.server, context=ctx)
ta.tls_start_server(tls_start)
tssl_client = tls_start.ssl_conn
tssl_server = test_tls.SSLTest(server_side=True)
assert self.do_handshake(tssl_client, tssl_server)
def test_tls_start_server_verify_failed(self):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options)
ctx.client.alpn_offers = [b"h2"]
ctx.client.cipher_list = ["TLS_AES_256_GCM_SHA384", "ECDHE-RSA-AES128-SHA"]
ctx.server.address = ("example.mitmproxy.org", 443)
tls_start = tls.TlsData(ctx.server, context=ctx)
ta.tls_start_server(tls_start)
tssl_client = tls_start.ssl_conn
tssl_server = test_tls.SSLTest(server_side=True)
with pytest.raises(SSL.Error, match="certificate verify failed"):
assert self.do_handshake(tssl_client, tssl_server)
def test_create_proxy_server_ssl_conn_insecure(self):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ctx = context.Context(
connection.Client(("client", 1234), ("127.0.0.1", 8080),
1605699329), tctx.options)
ctx.server.address = ("example.mitmproxy.org", 443)
tctx.configure(ta,
ssl_verify_upstream_trusted_ca=None,
ssl_insecure=True,
http2=False,
ciphers_server="ALL")
tls_start = tls.TlsStartData(ctx.server, context=ctx)
ta.tls_start(tls_start)
tssl_client = tls_start.ssl_conn
tssl_server = test_tls.SSLTest(server_side=True)
assert self.do_handshake(tssl_client, tssl_server)
def test_create_client_proxy_ssl_conn(self, tdata):
ta = tlsconfig.TlsConfig()
with taddons.context(ta) as tctx:
ta.configure(["confdir"])
tctx.configure(
ta,
certs=[
tdata.path(
"mitmproxy/net/data/verificationcerts/trusted-leaf.pem"
)
])
ctx = context.Context(
context.Client(("client", 1234), ("127.0.0.1", 8080),
1605699329), tctx.options)
tctx.options.add_upstream_certs_to_client_chain = True
tls_start = tls.TlsStartData(ctx.client, context=ctx)
ta.tls_start(tls_start)
tssl_server = tls_start.ssl_conn
tssl_client = test_tls.SSLTest()
assert self.do_handshake(tssl_client, tssl_server)
assert tssl_client.obj.getpeercert()["subjectAltName"] == ((
"DNS", "example.mitmproxy.org"), )
