diff options
| author | Aldo Cortesi <aldo@nullcube.com> | 2015-06-24 09:27:08 +1200 |
|---|---|---|
| committer | Aldo Cortesi <aldo@nullcube.com> | 2015-06-24 09:27:08 +1200 |
| commit | db6576ca6f3133eda61551a4827723997562b928 (patch) | |
| tree | 0a6079230d85e99bd80d54588f495d397f82e246 /netlib/tcp.py | |
| parent | 80dd703a2a230ace2159d47e499fbb1196bba27e (diff) | |
| parent | 4766bce63d787888f9d4ed07e9ce0b63764b22d1 (diff) | |
| download | mitmproxy-db6576ca6f3133eda61551a4827723997562b928.tar.gz mitmproxy-db6576ca6f3133eda61551a4827723997562b928.tar.bz2 mitmproxy-db6576ca6f3133eda61551a4827723997562b928.zip | |
Merge pull request #76 from kyle-m/master
Provide debugging information when upstream server certificate fails validation
Diffstat (limited to 'netlib/tcp.py')
| -rw-r--r-- | netlib/tcp.py | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/netlib/tcp.py b/netlib/tcp.py index 705cc311..74a275c9 100644 --- a/netlib/tcp.py +++ b/netlib/tcp.py @@ -412,14 +412,13 @@ class _Connection(object): if options is not None: context.set_options(options) - # Verify Options (NONE/PEER/PEER|FAIL_IF_... and trusted CAs) - if verify_options is not None and verify_options is not SSL.VERIFY_NONE: - def verify_cert(conn_, cert_, errno, err_depth, is_cert_verified): - if is_cert_verified: - return True - raise NetLibError( - "Upstream certificate validation failed at depth: %s with error number: %s" % - (err_depth, errno)) + # Verify Options (NONE/PEER and trusted CAs) + if verify_options is not None: + def verify_cert(conn, x509, errno, err_depth, is_cert_verified): + if not is_cert_verified: + self.ssl_verification_error = dict(errno=errno, + depth=err_depth) + return is_cert_verified context.set_verify(verify_options, verify_cert) context.load_verify_locations(ca_pemfile, ca_path) @@ -480,6 +479,7 @@ class TCPClient(_Connection): self.connection, self.rfile, self.wfile = None, None, None self.cert = None self.ssl_established = False + self.ssl_verification_error = None self.sni = None def create_ssl_context(self, cert=None, alpn_protos=None, **sslctx_kwargs): @@ -578,7 +578,8 @@ class BaseHandler(_Connection): dhparams=None, **sslctx_kwargs): """ - cert: A certutils.SSLCert object. + cert: A certutils.SSLCert object or the path to a certificate + chain file. handle_sni: SNI handler, should take a connection object. Server name can be retrieved like this: @@ -605,7 +606,10 @@ class BaseHandler(_Connection): context = self._create_ssl_context(**sslctx_kwargs) context.use_privatekey(key) - context.use_certificate(cert.x509) + if isinstance(cert, certutils.SSLCert): + context.use_certificate(cert.x509) + else: + context.use_certificate_chain_file(cert) if handle_sni: # SNI callback happens during do_handshake() |