is there a way to configure the cipher suites mitmproxy supports?

[Rouli]

For testing I want to make sure that the ssl channel between the client and mitmproxy will be one of a few specific cipher suites. Since I can't control the client, can I somehow disable some of the suites mitmproxy supports? 

I guess that I'm look for something like ssl.conf for mitmproxy

thanks!

[Aldo Cortesi]

Hi Rouli,

On 26/07/2012, at 11:00 PM, Rouli <roul...@gmail.com> wrote:

> For testing I want to make sure that the ssl channel between the client and mitmproxy will be one of a few specific cipher suites. Since I can't control the client, can I somehow disable some of the suites mitmproxy supports?
> I guess that I'm look for something like ssl.conf for mitmproxy

Not in the current master, no. Earlier versions did have a cypher suite specification, but it fell by the wayside when we moved over to PyOpenSSL. It would be pretty trivial to re-add, but unfortunately I'm amazingly busy right now and don't have time to tackle it. I'll describe what needs to be done just in case some enterprising person wants to contribute to mitmproxy.

- First, we'd need to extend the convert_to_ssl functions in netlib (http://github.com/cortesi/netlib) to let us set the cypher suite on PyOpenSSL contexts. The documentation for doing that is here: http://packages.python.org/pyOpenSSL/openssl-context.html.
- Then, we'd extend the standard command line options to allow cypher suite specification (cmdline.py and the process_proxy_options function in proxy.py).
- And finally we'd make sure that the right arguments are added to the convert_to_ssl function calls in pproxy.py.

There's a little bit of thinking to be done - for instance, do we want the user to be able to specify cypher suites independently for upstream and downstream connections? We'd also need to have a set of supported cypher suites and a command line flag to let the user dump them (or, at a minimum, a list in the documentation).



Cheers,


Aldo


--
Aldo Cortesi
blog: http://corte.si
twitter: @cortesi
work: www.nullcube.com
+64 210 718 900

[Rouli]

Thanks for the pointers.

I'll check it out and see if I'm smart enough to add it in.

On Thursday, July 26, 2012 2:20:04 PM UTC+3, Aldo Cortesi wrote:

Hi Rouli,

[Rouli]

Reviving an old thread, maybe someone will have insights:

So, I started implementing this feature in 0.9 following Aldo's advices.

Basically, I need that for the client-proxy interface, so I've changed netlib's BaseHandler's convert_to_ssl.

        if cipher_list:

            ctx.set_cipher_list(cipher_list)

        self.connection = SSL.Connection(ctx, self.connection)

        print self.connection.get_cipher_list()

Now, I pass it 'RC4-SHA', and even get as a printout ['RC4-SHA'], so technically, everything worked.

However, when I look in Wireshark for that stream, it seems that it has no effect.

Also open a stackoverflow thread for this issue

http://stackoverflow.com/questions/18313420/pyopenssl-set-cipher-list-does-not-have-effect-on-traffic

[Rouli]

short update - seems like do_handshake resets the cipher_list

[Rouli]

solved - it is handle_sni callback that resets the context configuration, including the cipher list.

hopefully, I'll ask for a pull request tomorrow.