diff options
| -rw-r--r-- | mitmproxy/net/tcp.py | 9 | ||||
| -rw-r--r-- | test/mitmproxy/net/test_tcp.py | 12 |
2 files changed, 20 insertions, 1 deletions
diff --git a/mitmproxy/net/tcp.py b/mitmproxy/net/tcp.py index 117fda6d..ac78e70d 100644 --- a/mitmproxy/net/tcp.py +++ b/mitmproxy/net/tcp.py @@ -551,7 +551,14 @@ class _Connection: context.set_verify(verify_options, verify_cert) if ca_path is None and ca_pemfile is None: ca_pemfile = certifi.where() - context.load_verify_locations(ca_pemfile, ca_path) + try: + context.load_verify_locations(ca_pemfile, ca_path) + except SSL.Error: + raise exceptions.TlsException( + "Cannot load trusted certificates ({}, {}).".format( + ca_pemfile, ca_path + ) + ) # Workaround for # https://github.com/pyca/pyopenssl/issues/190 diff --git a/test/mitmproxy/net/test_tcp.py b/test/mitmproxy/net/test_tcp.py index c5b026ef..cf3d30f7 100644 --- a/test/mitmproxy/net/test_tcp.py +++ b/test/mitmproxy/net/test_tcp.py @@ -199,6 +199,18 @@ class TestSSLv3Only(tservers.ServerTestBase): tutils.raises(exceptions.TlsException, c.convert_to_ssl, sni="foo.com") +class TestInvalidTrustFile(tservers.ServerTestBase): + def test_invalid_trust_file_should_fail(self): + c = tcp.TCPClient(("127.0.0.1", self.port)) + with c.connect(): + with tutils.raises(exceptions.TlsException): + c.convert_to_ssl( + sni="example.mitmproxy.org", + verify_options=SSL.VERIFY_PEER, + ca_pemfile=tutils.test_data.path("mitmproxy/net/data/verificationcerts/generate.py") + ) + + class TestSSLUpstreamCertVerificationWBadServerCert(tservers.ServerTestBase): handler = EchoHandler |