This addon supplies the proxy core with the desired OpenSSL connection objects to negotiate TLS.
| 115 | |
| 116 | |
| 117 | class TlsConfig: |
| 118 | """ |
| 119 | This addon supplies the proxy core with the desired OpenSSL connection objects to negotiate TLS. |
| 120 | """ |
| 121 | |
| 122 | certstore: certs.CertStore = None # type: ignore |
| 123 | |
| 124 | # TODO: We should support configuring TLS 1.3 cipher suites (https://github.com/mitmproxy/mitmproxy/issues/4260) |
| 125 | # TODO: We should re-use SSL.Context options here, if only for TLS session resumption. |
| 126 | # This may require patches to pyOpenSSL, as some functionality is only exposed on contexts. |
| 127 | # TODO: This addon should manage the following options itself, which are current defined in mitmproxy/options.py: |
| 128 | # - upstream_cert |
| 129 | # - add_upstream_certs_to_client_chain |
| 130 | # - key_size |
| 131 | # - certs |
| 132 | # - cert_passphrase |
| 133 | # - ssl_verify_upstream_trusted_ca |
| 134 | # - ssl_verify_upstream_trusted_confdir |
| 135 | |
| 136 | def load(self, loader): |
| 137 | insecure_tls_min_versions = ( |
| 138 | ", ".join(x.name for x in net_tls.INSECURE_TLS_MIN_VERSIONS[:-1]) |
| 139 | + f" and {net_tls.INSECURE_TLS_MIN_VERSIONS[-1].name}" |
| 140 | ) |
| 141 | loader.add_option( |
| 142 | name="tls_version_client_min", |
| 143 | typespec=str, |
| 144 | default=net_tls.DEFAULT_MIN_VERSION.name, |
| 145 | choices=[x.name for x in net_tls.Version], |
| 146 | help=f"Set the minimum TLS version for client connections. " |
| 147 | f"{insecure_tls_min_versions} are insecure.", |
| 148 | ) |
| 149 | loader.add_option( |
| 150 | name="tls_version_client_max", |
| 151 | typespec=str, |
| 152 | default=net_tls.DEFAULT_MAX_VERSION.name, |
| 153 | choices=[x.name for x in net_tls.Version], |
| 154 | help=f"Set the maximum TLS version for client connections.", |
| 155 | ) |
| 156 | loader.add_option( |
| 157 | name="tls_version_server_min", |
| 158 | typespec=str, |
| 159 | default=net_tls.DEFAULT_MIN_VERSION.name, |
| 160 | choices=[x.name for x in net_tls.Version], |
| 161 | help=f"Set the minimum TLS version for server connections. " |
| 162 | f"{insecure_tls_min_versions} are insecure.", |
| 163 | ) |
| 164 | loader.add_option( |
| 165 | name="tls_version_server_max", |
| 166 | typespec=str, |
| 167 | default=net_tls.DEFAULT_MAX_VERSION.name, |
| 168 | choices=[x.name for x in net_tls.Version], |
| 169 | help=f"Set the maximum TLS version for server connections.", |
| 170 | ) |
| 171 | loader.add_option( |
| 172 | name="tls_ecdh_curve_client", |
| 173 | typespec=str | None, |
| 174 | default=None, |
no outgoing calls
searching dependent graphs…