diff options
| -rw-r--r-- | mitmproxy/net/tls.py | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/mitmproxy/net/tls.py b/mitmproxy/net/tls.py index 2c9f6c85..d8e943d3 100644 --- a/mitmproxy/net/tls.py +++ b/mitmproxy/net/tls.py @@ -87,7 +87,18 @@ class MasterSecretLogger: __name__ = "MasterSecretLogger" def __call__(self, connection, where, ret): - if where == SSL.SSL_CB_HANDSHAKE_DONE and ret == 1: + done_now = ( + where == SSL.SSL_CB_HANDSHAKE_DONE and ret == 1 + ) + # this is a horrendous workaround for https://github.com/mitmproxy/mitmproxy/pull/3692#issuecomment-608454530: + # OpenSSL 1.1.1f decided to not make connection.master_key() fail in the SSL_CB_HANDSHAKE_DONE callback. + # To support various OpenSSL versions and still log master secrets, we now mark connections where this has + # happened and then try again on the next event. This is ugly and shouldn't be done, but eventually we + # replace this with context.set_keylog_callback anyways. + done_previously_but_not_logged_yet = ( + hasattr(connection, "_still_needs_masterkey") + ) + if done_now or done_previously_but_not_logged_yet: with self.lock: if not self.f: d = os.path.dirname(self.filename) @@ -95,10 +106,16 @@ class MasterSecretLogger: os.makedirs(d) self.f = open(self.filename, "ab") self.f.write(b"\r\n") - client_random = binascii.hexlify(connection.client_random()) - masterkey = binascii.hexlify(connection.master_key()) - self.f.write(b"CLIENT_RANDOM %s %s\r\n" % (client_random, masterkey)) - self.f.flush() + try: + client_random = binascii.hexlify(connection.client_random()) + masterkey = binascii.hexlify(connection.master_key()) + except (AssertionError, SSL.Error): # careful: exception type changes between pyOpenSSL versions + connection._still_needs_masterkey = True + else: + self.f.write(b"CLIENT_RANDOM %s %s\r\n" % (client_random, masterkey)) + self.f.flush() + if hasattr(connection, "_still_needs_masterkey"): + delattr(connection, "_still_needs_masterkey") def close(self): with self.lock: |