(
self, data: bytes
)
| 292 | yield commands.SendData(self.conn, data) |
| 293 | |
| 294 | def receive_handshake_data( |
| 295 | self, data: bytes |
| 296 | ) -> layer.CommandGenerator[tuple[bool, str | None]]: |
| 297 | # bio_write errors for b"", so we need to check first if we actually received something. |
| 298 | if data: |
| 299 | self.tls.bio_write(data) |
| 300 | try: |
| 301 | self.tls.do_handshake() |
| 302 | except SSL.WantReadError: |
| 303 | yield from self.tls_interact() |
| 304 | return False, None |
| 305 | except SSL.Error as e: |
| 306 | # provide more detailed information for some errors. |
| 307 | last_err = ( |
| 308 | e.args and isinstance(e.args[0], list) and e.args[0] and e.args[0][-1] |
| 309 | ) |
| 310 | if last_err in [ |
| 311 | ( |
| 312 | "SSL routines", |
| 313 | "tls_process_server_certificate", |
| 314 | "certificate verify failed", |
| 315 | ), |
| 316 | ("SSL routines", "", "certificate verify failed"), # OpenSSL 3+ |
| 317 | ]: |
| 318 | verify_result = SSL._lib.SSL_get_verify_result(self.tls._ssl) # type: ignore |
| 319 | error = SSL._ffi.string( # type: ignore |
| 320 | SSL._lib.X509_verify_cert_error_string(verify_result) # type: ignore |
| 321 | ).decode() |
| 322 | err = f"Certificate verify failed: {error}" |
| 323 | elif last_err in [ |
| 324 | ("SSL routines", "ssl3_read_bytes", "tlsv1 alert unknown ca"), |
| 325 | ("SSL routines", "ssl3_read_bytes", "sslv3 alert bad certificate"), |
| 326 | ("SSL routines", "ssl3_read_bytes", "ssl/tls alert bad certificate"), |
| 327 | ("SSL routines", "", "tlsv1 alert unknown ca"), # OpenSSL 3+ |
| 328 | ("SSL routines", "", "sslv3 alert bad certificate"), # OpenSSL 3+ |
| 329 | ("SSL routines", "", "ssl/tls alert bad certificate"), # OpenSSL 3.2+ |
| 330 | ]: |
| 331 | assert isinstance(last_err, tuple) |
| 332 | err = last_err[2] |
| 333 | elif ( |
| 334 | last_err |
| 335 | in [ |
| 336 | ("SSL routines", "ssl3_get_record", "wrong version number"), |
| 337 | ("SSL routines", "", "wrong version number"), # OpenSSL 3+ |
| 338 | ("SSL routines", "", "packet length too long"), # OpenSSL 3+ |
| 339 | ("SSL routines", "", "record layer failure"), # OpenSSL 3+ |
| 340 | ] |
| 341 | and data[:4].isascii() |
| 342 | ): |
| 343 | err = f"The remote server does not speak TLS." |
| 344 | elif last_err in [ |
| 345 | ("SSL routines", "ssl3_read_bytes", "tlsv1 alert protocol version"), |
| 346 | ("SSL routines", "", "tlsv1 alert protocol version"), # OpenSSL 3+ |
| 347 | ]: |
| 348 | err = ( |
| 349 | f"The remote server and mitmproxy cannot agree on a TLS version to use. " |
| 350 | f"You may need to adjust mitmproxy's tls_version_server_min option." |
| 351 | ) |
no test coverage detected