diff options
author | Ryan Laughlin <rofreg@gmail.com> | 2016-09-30 16:39:44 -0400 |
---|---|---|
committer | Ryan Laughlin <rofreg@gmail.com> | 2016-09-30 16:39:44 -0400 |
commit | fbf8567a79a84ee0379e11dbecf215768dcaa706 (patch) | |
tree | 20ce74698df2f85ffcb516c1abdfb172e7c8e590 | |
parent | e0cd33b5863cebb78c38873e32540ee4c495ec15 (diff) | |
download | mitmproxy-fbf8567a79a84ee0379e11dbecf215768dcaa706.tar.gz mitmproxy-fbf8567a79a84ee0379e11dbecf215768dcaa706.tar.bz2 mitmproxy-fbf8567a79a84ee0379e11dbecf215768dcaa706.zip |
Fix SSL error
This fixes an issue that occurs when a user supplies a custom SSL cert w/ intermediate certs that contradict the default certifi set of root certificates. In particular, this addressed an issue where the "COMODO RSA Certification Authority" cert in certifi is NOT trusted on OS X by default as of OS X 10.11.6. Even when the user manually supplied a different valid "COMODO RSA Certification Authority" cert in their custom SSL cert .pem file, that cert would be overridden by certifi's default cert.
-rw-r--r-- | netlib/tcp.py | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/netlib/tcp.py b/netlib/tcp.py index b1a6db5a..64b9ce3b 100644 --- a/netlib/tcp.py +++ b/netlib/tcp.py @@ -817,7 +817,7 @@ class BaseHandler(_Connection): until then we're conservative. """ - context = self._create_ssl_context(**sslctx_kwargs) + context = self._create_ssl_context(ca_pemfile=chain_file, **sslctx_kwargs) context.use_privatekey(key) if isinstance(cert, certutils.SSLCert): @@ -840,10 +840,6 @@ class BaseHandler(_Connection): return True context.set_verify(SSL.VERIFY_PEER, save_cert) - # Cert Verify - if chain_file: - context.load_verify_locations(chain_file) - if dhparams: SSL._lib.SSL_CTX_set_tmp_dh(context._context, dhparams) |