diff options
| author | Aldo Cortesi <aldo@nullcube.com> | 2014-03-02 17:27:24 +1300 |
|---|---|---|
| committer | Aldo Cortesi <aldo@nullcube.com> | 2014-03-02 17:27:24 +1300 |
| commit | f373ac5b6c443d0e633323e39b846fbe78822c2c (patch) | |
| tree | 7323cfea5bda32b019c927da58d8b44163883cf3 | |
| parent | 863b1e14552f5216ae4c47bf6dfe9b68ff2ca13b (diff) | |
| download | mitmproxy-f373ac5b6c443d0e633323e39b846fbe78822c2c.tar.gz mitmproxy-f373ac5b6c443d0e633323e39b846fbe78822c2c.tar.bz2 mitmproxy-f373ac5b6c443d0e633323e39b846fbe78822c2c.zip | |
Improve explicit certificate specification
- Support cert/key in the same PEM file
- Rationalize arguments, expand tests, clean up a bit
| -rw-r--r-- | libmproxy/cmdline.py | 2 | ||||
| -rw-r--r-- | libmproxy/proxy.py | 40 | ||||
| -rw-r--r-- | test/test_proxy.py | 9 | ||||
| -rw-r--r-- | test/tservers.py | 1 |
4 files changed, 36 insertions, 16 deletions
diff --git a/libmproxy/cmdline.py b/libmproxy/cmdline.py index 8e7ab4a1..7950d40b 100644 --- a/libmproxy/cmdline.py +++ b/libmproxy/cmdline.py @@ -387,4 +387,4 @@ def common_options(parser): help="Allow access to users specified in an Apache htpasswd file." ) - proxy.certificate_option_group(parser) + proxy.ssl_option_group(parser) diff --git a/libmproxy/proxy.py b/libmproxy/proxy.py index 0203ba86..9ff8887d 100644 --- a/libmproxy/proxy.py +++ b/libmproxy/proxy.py @@ -4,6 +4,7 @@ from netlib import tcp, http, certutils, http_auth import utils, version, platform, controller, stateobject TRANSPARENT_SSL_PORTS = [443, 8443] +CA_CERT_NAME = "mitmproxy-ca.pem" class AddressPriority(object): @@ -37,9 +38,10 @@ class Log: class ProxyConfig: - def __init__(self, certfile=None, cacert=None, clientcerts=None, no_upstream_cert=False, body_size_limit=None, + def __init__(self, certfile=None, keyfile=None, cacert=None, clientcerts=None, no_upstream_cert=False, body_size_limit=None, reverse_proxy=None, forward_proxy=None, transparent_proxy=None, authenticator=None): self.certfile = certfile + self.keyfile = keyfile self.cacert = cacert self.clientcerts = clientcerts self.no_upstream_cert = no_upstream_cert @@ -381,7 +383,7 @@ class ConnectionHandler: if self.client_conn.ssl_established: raise ProxyError(502, "SSL to Client already established.") dummycert = self.find_cert() - self.client_conn.convert_to_ssl(dummycert, self.config.certfile or self.config.cacert, + self.client_conn.convert_to_ssl(dummycert, self.config.keyfile or self.config.cacert, handle_sni=self.handle_sni) def server_reconnect(self, no_ssl=False): @@ -498,12 +500,17 @@ class DummyServer: # Command-line utils -def certificate_option_group(parser): +def ssl_option_group(parser): group = parser.add_argument_group("SSL") group.add_argument( - "--cert", action="store", - type=str, dest="cert", default=None, - help="User-created SSL certificate file." + "--certfile", action="store", + type=str, dest="certfile", default=None, + help="SSL certificate in PEM format, optionally with the key in the same file." + ) + group.add_argument( + "--keyfile", action="store", + type=str, dest="keyfile", default=None, + help="Key matching certfile." ) group.add_argument( "--client-certs", action="store", @@ -513,12 +520,20 @@ def certificate_option_group(parser): def process_proxy_options(parser, options): - if options.cert: - options.cert = os.path.expanduser(options.cert) - if not os.path.exists(options.cert): - return parser.error("Manually created certificate does not exist: %s" % options.cert) + if options.certfile: + options.certfile = os.path.expanduser(options.certfile) + if not os.path.exists(options.certfile): + return parser.error("Certificate file does not exist: %s" % options.certfile) + + if options.keyfile: + options.keyfile = os.path.expanduser(options.keyfile) + if not os.path.exists(options.keyfile): + return parser.error("Key file does not exist: %s" % options.keyfile) + + if options.certfile and not options.keyfile: + options.keyfile = options.certfile - cacert = os.path.join(options.confdir, "mitmproxy-ca.pem") + cacert = os.path.join(options.confdir, CA_CERT_NAME) cacert = os.path.expanduser(cacert) if not os.path.exists(cacert): certutils.dummy_ca(cacert) @@ -575,7 +590,8 @@ def process_proxy_options(parser, options): authenticator = http_auth.NullProxyAuth(None) return ProxyConfig( - certfile=options.cert, + certfile=options.certfile, + keyfile=options.keyfile, cacert=cacert, clientcerts=options.clientcerts, body_size_limit=body_size_limit, diff --git a/test/test_proxy.py b/test/test_proxy.py index c42d66e7..5ff00290 100644 --- a/test/test_proxy.py +++ b/test/test_proxy.py @@ -70,9 +70,12 @@ class TestProcessProxyOptions: def test_simple(self): assert self.p() - def test_cert(self): - self.assert_noerr("--cert", tutils.test_data.path("data/testkey.pem")) - self.assert_err("does not exist", "--cert", "nonexistent") + def test_certfile_keyfile(self): + self.assert_noerr("--certfile", tutils.test_data.path("data/testkey.pem")) + self.assert_err("does not exist", "--certfile", "nonexistent") + + self.assert_noerr("--keyfile", tutils.test_data.path("data/testkey.pem")) + self.assert_err("does not exist", "--keyfile", "nonexistent") def test_confdir(self): with tutils.tmpdir() as confdir: diff --git a/test/tservers.py b/test/tservers.py index 812e8921..a0f37c98 100644 --- a/test/tservers.py +++ b/test/tservers.py @@ -128,6 +128,7 @@ class ProxTestBase(object): d["clientcerts"] = tutils.test_data.path("data/clientcert") if cls.certfile: d["certfile"] =tutils.test_data.path("data/testkey.pem") + d["keyfile"] =tutils.test_data.path("data/testkey.pem") return d |