-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify upstream certificates by default. #1111 #1197
Conversation
Adds the basic features as per #1111 |
Which key do I assign for the toggle insecure option? I'm using |
The options seems to be the wrong way around at the moment? |
@@ -191,6 +197,10 @@ def toggle_upstream_cert(self): | |||
self.master.server.config.no_upstream_cert = not self.master.server.config.no_upstream_cert | |||
signals.update_settings.send(self) | |||
|
|||
def toggle_ssl_insecure(self): | |||
self.master.server.config.ssl_insecure = not self.master.server.config.ssl_insecure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fails, because ProxyConfig doesn't have an ssl_insecure attribute
Sachin, thanks for working on this. It's a valuable feature we definitely need. Please take a look at the comments I've added inline in the code - there's more work needed before we can merge. |
I made changes according to all your comments. Should I also squash all the commits? |
Looks way better now! 😃 The We should also add a test (class) that overrides |
What about the remaining failing tests? @Kriechi, any idea? |
I may be late to the party, but you may find that this site helps with testing: https://badssl.com/ |
@@ -122,6 +122,7 @@ def get_proxy_config(cls): | |||
cadir = cls.cadir, | |||
authenticator = cls.authenticator, | |||
add_upstream_certs_to_client_chain = cls.add_upstream_certs_to_client_chain, | |||
ssl_insecure = True, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this changes the default for all HTTP/2 tests - maybe we can only set this to true in the tests we actually want it to change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's fine if all tests are run using --insecure
. We should add a tests that assures that we actually verify the certificate if ssl_insecure
is not passed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, HTTP/2 misses this value - because it has its own TestBase.
@s4chin please add the same option here:
mitmproxy/test/mitmproxy/test_protocol_http2.py
Lines 97 to 101 in 5d0de16
return dict( | |
no_upstream_cert = False, | |
cadir = cls.cadir, | |
authenticator = None, | |
) |
About the failing HTTP/2 tests, the error message is:
|
I just pushed an improved version of the HTTP/2 tests in 5d0de16. This should make it easier to debug and track down the underlying cause. |
Thanks for fixing the tests, I will take a look over the weekend! 😃 |
This adds the
--insecure
option and enables certificate verification by default. The tests fail and I need help in knowing how to fix them.