diff options
| author | Kyle Morton <kylemorton@google.com> | 2015-06-29 10:32:57 -0700 |
|---|---|---|
| committer | Kyle Morton <kylemorton@google.com> | 2015-06-29 11:00:20 -0700 |
| commit | f0ad1f334ca57fdf57a3bfb190d314fc8d983475 (patch) | |
| tree | a22397901680338545ee69d614ed418e40528475 /libmproxy/proxy/config.py | |
| parent | aebad44d550d917489c802d0d51e1002f87b4e3b (diff) | |
| download | mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.tar.gz mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.tar.bz2 mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.zip | |
Enabling upstream server verification. Added flags --verify_upstream_cert,
--upstream-trusted-cadir, and --upstream-trusted-ca.
Diffstat (limited to 'libmproxy/proxy/config.py')
| -rw-r--r-- | libmproxy/proxy/config.py | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index a7a719cf..c5306b4a 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -52,6 +52,9 @@ class ProxyConfig: ssl_version_server=tcp.SSL_DEFAULT_METHOD, ssl_ports=TRANSPARENT_SSL_PORTS, spoofed_ssl_port=None, + ssl_verify_upstream_cert=False, + ssl_upstream_trusted_cadir=None, + ssl_upstream_trusted_ca=None ): self.host = host self.port = port @@ -100,6 +103,13 @@ class ProxyConfig: self.openssl_method_server = ssl_version_server else: self.openssl_method_server = tcp.SSL_VERSIONS[ssl_version_server] + + if ssl_verify_upstream_cert: + self.openssl_verification_mode_server = SSL.VERIFY_PEER + else: + self.openssl_verification_mode_server = SSL.VERIFY_NONE + self.openssl_trusted_cadir_server = ssl_upstream_trusted_cadir + self.openssl_trusted_ca_server = ssl_upstream_trusted_ca self.openssl_options_client = tcp.SSL_DEFAULT_OPTIONS self.openssl_options_server = tcp.SSL_DEFAULT_OPTIONS @@ -203,7 +213,10 @@ def process_proxy_options(parser, options): ssl_version_client=options.ssl_version_client, ssl_version_server=options.ssl_version_server, ssl_ports=ssl_ports, - spoofed_ssl_port=spoofed_ssl_port + spoofed_ssl_port=spoofed_ssl_port, + ssl_verify_upstream_cert=options.ssl_verify_upstream_cert, + ssl_upstream_trusted_cadir=options.ssl_upstream_trusted_cadir, + ssl_upstream_trusted_ca=options.ssl_upstream_trusted_ca ) @@ -243,6 +256,23 @@ def ssl_option_group(parser): help="Don't connect to upstream server to look up certificate details." ) group.add_argument( + "--verify-upstream-cert", default=False, + action="store_true", dest="ssl_verify_upstream_cert", + help="Verify upstream server SSL/TLS certificates and fail if invalid " + "or not present." + ) + group.add_argument( + "--upstream-trusted-cadir", default=None, action="store", + dest="ssl_upstream_trusted_cadir", + help="Path to a directory of trusted CA certificates for upstream " + "server verification prepared using the c_rehash tool." + ) + group.add_argument( + "--upstream-trusted-ca", default=None, action="store", + dest="ssl_upstream_trusted_ca", + help="Path to a PEM formatted trusted CA certificate." + ) + group.add_argument( "--ssl-port", action="append", type=int, |