Enabling upstream server verification. Added flags --verify_upstream_cert,

--upstream-trusted-cadir, and --upstream-trusted-ca.
author: Kyle Morton <kylemorton@google.com> 2015-06-29 10:32:57 -0700
committer: Kyle Morton <kylemorton@google.com> 2015-06-29 11:00:20 -0700
commit: f0ad1f334ca57fdf57a3bfb190d314fc8d983475 (patch)
tree: a22397901680338545ee69d614ed418e40528475 /libmproxy/proxy/server.py
parent: aebad44d550d917489c802d0d51e1002f87b4e3b (diff)
download: mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.tar.gz
mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.tar.bz2
mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.zip
1 files changed, 17 insertions, 0 deletions
diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py
index 051e8489..2711bd0e 100644
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@@ -235,8 +235,18 @@ class ConnectionHandler:
                     sni,
                     method=self.config.openssl_method_server,
                     options=self.config.openssl_options_server,
+                    verify_options=self.config.openssl_verification_mode_server,
+                    ca_path=self.config.openssl_trusted_cadir_server,
+                    ca_pemfile=self.config.openssl_trusted_ca_server,
                     cipher_list=self.config.ciphers_server,
                 )
+                ssl_cert_err = self.server_conn.ssl_verification_error
+                if ssl_cert_err is not None:
+                    self.log(
+                        "SSL verification failed for upstream server at depth %s with error: %s" % 
+                            (ssl_cert_err['depth'], ssl_cert_err['errno']),
+                        "error")
+                    self.log("Ignoring server verification error, continuing with connection", "error")
             except tcp.NetLibError as v:
                 e = ProxyError(502, repr(v))
                 # Workaround for https://github.com/mitmproxy/mitmproxy/issues/427
@@ -246,6 +256,13 @@ class ConnectionHandler:
                 if client and "handshake failure" in e.message:
                     self.server_conn.may_require_sni = e
                 else:
+                    ssl_cert_err = self.server_conn.ssl_verification_error
+                    if ssl_cert_err is not None:
+                        self.log(
+                            "SSL verification failed for upstream server at depth %s with error: %s" % 
+                                (ssl_cert_err['depth'], ssl_cert_err['errno']),
+                            "error")
+                        self.log("Aborting connection attempt", "error")
                     raise e
         if client:
             if self.client_conn.ssl_established:
author	Kyle Morton <kylemorton@google.com>	2015-06-29 10:32:57 -0700
committer	Kyle Morton <kylemorton@google.com>	2015-06-29 11:00:20 -0700
commit	f0ad1f334ca57fdf57a3bfb190d314fc8d983475 (patch)
tree	a22397901680338545ee69d614ed418e40528475 /libmproxy/proxy/server.py
parent	aebad44d550d917489c802d0d51e1002f87b4e3b (diff)
download	mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.tar.gz mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.tar.bz2 mitmproxy-f0ad1f334ca57fdf57a3bfb190d314fc8d983475.zip