Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify upstream certificates by default. #1111 #1197

Closed
wants to merge 10 commits into from
Closed

Verify upstream certificates by default. #1111 #1197

wants to merge 10 commits into from

Conversation

s4chin
Copy link
Contributor

@s4chin s4chin commented Jun 2, 2016

This adds the --insecure option and enables certificate verification by default. The tests fail and I need help in knowing how to fix them.

@s4chin
Copy link
Contributor Author

s4chin commented Jun 4, 2016

Adds the basic features as per #1111

@mhils
Copy link
Member

mhils commented Jun 7, 2016

This looks great, but we're still failing on some systems. @Kriechi, any idea?

@s4chin: I'd love to have a toggle for this in the mitmproxy options (press o in mitmproxy). Do you think you could get that going? 😃

@s4chin
Copy link
Contributor Author

s4chin commented Jun 7, 2016
edited

Which key do I assign for the toggle insecure option? I'm using K.

@mhils
Copy link
Member

mhils commented Jun 8, 2016
edited

The options seems to be the wrong way around at the moment?

cortesi
cortesi reviewed Jun 9, 2016
View reviewed changes
mitmproxy/console/options.py
@@ -191,6 +197,10 @@ def toggle_upstream_cert(self):
self.master.server.config.no_upstream_cert = not self.master.server.config.no_upstream_cert
signals.update_settings.send(self)

def toggle_ssl_insecure(self):
self.master.server.config.ssl_insecure = not self.master.server.config.ssl_insecure
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fails, because ProxyConfig doesn't have an ssl_insecure attribute

@cortesi
Copy link
Member

cortesi commented Jun 9, 2016

Sachin, thanks for working on this. It's a valuable feature we definitely need. Please take a look at the comments I've added inline in the code - there's more work needed before we can merge.

@s4chin
Copy link
Contributor Author

s4chin commented Jun 15, 2016

I made changes according to all your comments. Should I also squash all the commits?

@mhils
Copy link
Member

mhils commented Jun 16, 2016

Looks way better now! 😃

The ProxyConfig.openssl_verification_mode_server part looks like it's going to fail at some point where somebody forgets to update one of the attributes. Can we implement openssl_verification_mode_server as a @property ?

We should also add a test (class) that overrides get_proxy_config to remove the insecure=True default in the test suite and verifies that we actually fail for untrusted CAs.

@mhils
Copy link
Member

mhils commented Jun 16, 2016

What about the remaining failing tests? @Kriechi, any idea?

@tdickers
Copy link

I may be late to the party, but you may find that this site helps with testing: https://badssl.com/

Kriechi
Kriechi reviewed Jun 18, 2016
View reviewed changes
test/mitmproxy/tservers.py
@@ -122,6 +122,7 @@ def get_proxy_config(cls):
cadir = cls.cadir,
authenticator = cls.authenticator,
add_upstream_certs_to_client_chain = cls.add_upstream_certs_to_client_chain,
ssl_insecure = True,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this changes the default for all HTTP/2 tests - maybe we can only set this to true in the tests we actually want it to change?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's fine if all tests are run using --insecure. We should add a tests that assures that we actually verify the certificate if ssl_insecure is not passed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, HTTP/2 misses this value - because it has its own TestBase.
@s4chin please add the same option here:

mitmproxy/test/mitmproxy/test_protocol_http2.py

Lines 97 to 101 in 5d0de16

return dict(
no_upstream_cert = False,
cadir = cls.cadir,
authenticator = None,
)

@Kriechi
Copy link
Member

Kriechi commented Jun 22, 2016

About the failing HTTP/2 tests, the error message is:

TlsException('Cannot validate certificate hostname without SNI',)",)

@Kriechi
Copy link
Member

Kriechi commented Jun 22, 2016

I just pushed an improved version of the HTTP/2 tests in 5d0de16. This should make it easier to debug and track down the underlying cause.

@mhils
Copy link
Member

mhils commented Jun 25, 2016

Thanks for fixing the tests, I will take a look over the weekend! 😃

@mhils mhils added this to the 0.18 milestone Jul 27, 2016
@mhils mhils self-assigned this Jul 28, 2016
@mhils mhils mentioned this pull request Jul 28, 2016
Merged
@cortesi cortesi closed this in #1447 Aug 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mhils mhils

Labels
None yet
Projects
None yet
Milestone
0.18
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@s4chin @mhils @cortesi @tdickers @Kriechi