From 0a642f2441f30988db3ca5db276716e2371e6f2f Mon Sep 17 00:00:00 2001 From: Aldo Cortesi Date: Mon, 27 Jun 2011 16:10:17 +1200 Subject: Make the certificate wait time configurable. Since OpenSSL doesn't let us set certificate start times in the past, the client and proxy machine time must be synchronized, or the client might reject the certificate. We can bodgy over small discrepancies by waiting a few seconds after a new certificate is generated (i.e. the first time an SSL domain is contacted). Make this a configurable option, and turn it off by default. --- libmproxy/proxy.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'libmproxy/proxy.py') diff --git a/libmproxy/proxy.py b/libmproxy/proxy.py index 77498842..916d18eb 100644 --- a/libmproxy/proxy.py +++ b/libmproxy/proxy.py @@ -23,11 +23,12 @@ class ProxyError(Exception): class SSLConfig: - def __init__(self, certfile = None, ciphers = None, cacert = None): + def __init__(self, certfile = None, ciphers = None, cacert = None, cert_wait_time=None): self.certfile = certfile self.ciphers = ciphers self.cacert = cacert self.certdir = None + self.cert_wait_time = cert_wait_time def read_chunked(fp): @@ -613,6 +614,7 @@ class ProxyHandler(SocketServer.StreamRequestHandler): return self.config.certfile else: ret = utils.dummy_cert(self.config.certdir, self.config.cacert, host) + time.sleep(self.config.cert_wait_time) if not ret: raise ProxyError(400, "mitmproxy: Unable to generate dummy cert.") return ret @@ -784,5 +786,6 @@ def process_certificate_option_group(parser, options): return SSLConfig( certfile = options.cert, cacert = cacert, - ciphers = options.ciphers + ciphers = options.ciphers, + cert_wait_time = options.cert_wait_time ) -- cgit v1.2.3