Add option to allow insecure upstream SSL connections

hippolyzer/apps/proxy.py

@@ -16,7 +16,7 @@ from hippolyzer.lib.proxy.addons import AddonManager
 from hippolyzer.lib.proxy.addon_utils import BaseAddon
 from hippolyzer.lib.proxy.ca_utils import setup_ca
 from hippolyzer.lib.proxy.commands import handle_command
-from hippolyzer.lib.proxy.http_proxy import create_http_proxy, create_proxy_master, HTTPFlowContext
+from hippolyzer.lib.proxy.http_proxy import create_http_proxy, HTTPFlowContext
 from hippolyzer.lib.proxy.http_event_manager import MITMProxyEventManager
 from hippolyzer.lib.proxy.lludp_proxy import SLSOCKS5Server
 from hippolyzer.lib.base.message.message import Message
@@ -85,12 +85,12 @@ class REPLAddon(BaseAddon):
             AddonManager.spawn_repl()
 
 
-def run_http_proxy_process(proxy_host, http_proxy_port, flow_context: HTTPFlowContext):
+def run_http_proxy_process(proxy_host, http_proxy_port, flow_context: HTTPFlowContext, ssl_insecure=False):
     mitm_loop = asyncio.new_event_loop()
     asyncio.set_event_loop(mitm_loop)
 
     async def mitmproxy_loop():
-        mitmproxy_master = create_http_proxy(proxy_host, http_proxy_port, flow_context)
+        mitmproxy_master = create_http_proxy(proxy_host, http_proxy_port, flow_context, ssl_insecure=ssl_insecure)
         gc.freeze()
         await mitmproxy_master.run()
 
@@ -98,7 +98,7 @@ def run_http_proxy_process(proxy_host, http_proxy_port, flow_context: HTTPFlowCo
 
 
 def start_proxy(session_manager: SessionManager, extra_addons: Optional[list] = None,
-                extra_addon_paths: Optional[list] = None, proxy_host=None):
+                extra_addon_paths: Optional[list] = None, proxy_host=None, ssl_insecure=False):
     extra_addons = extra_addons or []
     extra_addon_paths = extra_addon_paths or []
     extra_addons.append(SelectionManagerAddon())
@@ -123,17 +123,13 @@ def start_proxy(session_manager: SessionManager, extra_addons: Optional[list] =
     # TODO: argparse
     if len(sys.argv) == 3:
         if sys.argv[1] == "--setup-ca":
-            try:
-                mitmproxy_master = create_http_proxy(proxy_host, http_proxy_port, flow_context)
-            except mitmproxy.exceptions.MitmproxyException:
-                # Proxy already running, create the master so we don't try to bind to a port
-                mitmproxy_master = create_proxy_master(proxy_host, http_proxy_port, flow_context)
+            mitmproxy_master = create_http_proxy(proxy_host, http_proxy_port, flow_context)
             setup_ca(sys.argv[2], mitmproxy_master)
             return sys.exit(0)
 
     http_proc = multiprocessing.Process(
         target=run_http_proxy_process,
-        args=(proxy_host, http_proxy_port, flow_context),
+        args=(proxy_host, http_proxy_port, flow_context, ssl_insecure),
         daemon=True,
     )
     http_proc.start()

hippolyzer/apps/proxy_gui.py

@@ -42,7 +42,7 @@ from hippolyzer.lib.base.network.transport import Direction, SocketUDPTransport
 from hippolyzer.lib.proxy.addons import BaseInteractionManager, AddonManager
 from hippolyzer.lib.proxy.ca_utils import setup_ca_everywhere
 from hippolyzer.lib.proxy.caps_client import ProxyCapsClient
-from hippolyzer.lib.proxy.http_proxy import create_proxy_master, HTTPFlowContext
+from hippolyzer.lib.proxy.http_proxy import create_http_proxy, HTTPFlowContext
 from hippolyzer.lib.proxy.message_logger import LLUDPMessageLogEntry, AbstractMessageLogEntry, WrappingMessageLogger, \
     import_log_entries, export_log_entries
 from hippolyzer.lib.proxy.region import ProxiedRegion
@@ -275,9 +275,11 @@ class MessageLogWindow(QtWidgets.QMainWindow):
         self.actionOpenMessageBuilder.triggered.connect(self._openMessageBuilder)
 
         self.actionProxyRemotelyAccessible.setChecked(self.settings.REMOTELY_ACCESSIBLE)
+        self.actionProxySSLInsecure.setChecked(self.settings.SSL_INSECURE)
         self.actionUseViewerObjectCache.setChecked(self.settings.USE_VIEWER_OBJECT_CACHE)
         self.actionRequestMissingObjects.setChecked(self.settings.AUTOMATICALLY_REQUEST_MISSING_OBJECTS)
         self.actionProxyRemotelyAccessible.triggered.connect(self._setProxyRemotelyAccessible)
+        self.actionProxySSLInsecure.triggered.connect(self._setProxySSLInsecure)
         self.actionUseViewerObjectCache.triggered.connect(self._setUseViewerObjectCache)
         self.actionRequestMissingObjects.triggered.connect(self._setRequestMissingObjects)
         self.actionOpenNewMessageLogWindow.triggered.connect(self._openNewMessageLogWindow)
@@ -458,7 +460,7 @@ class MessageLogWindow(QtWidgets.QMainWindow):
         if clicked_btn is not yes_btn:
             return
 
-        master = create_proxy_master("127.0.0.1", -1, HTTPFlowContext())
+        master = create_http_proxy("127.0.0.1", -1, HTTPFlowContext())
         dirs = setup_ca_everywhere(master)
 
         msg = QtWidgets.QMessageBox()
@@ -474,6 +476,12 @@ class MessageLogWindow(QtWidgets.QMainWindow):
         msg.setText("Remote accessibility setting changes will take effect on next run")
         msg.exec()
 
+    def _setProxySSLInsecure(self, checked: bool):
+        self.sessionManager.settings.SSL_INSECURE = checked
+        msg = QtWidgets.QMessageBox()
+        msg.setText("SSL security setting changes will take effect on next run")
+        msg.exec()
+
     def _setUseViewerObjectCache(self, checked: bool):
         self.sessionManager.settings.USE_VIEWER_OBJECT_CACHE = checked
 
@@ -937,6 +945,7 @@ def gui_main():
         session_manager=window.sessionManager,
         extra_addon_paths=window.getAddonList(),
         proxy_host=http_host,
+        ssl_insecure=settings.SSL_INSECURE,
     )
 
 

hippolyzer/apps/proxy_mainwindow.ui

@@ -245,7 +245,7 @@
      <x>0</x>
      <y>0</y>
      <width>700</width>
-     <height>22</height>
+     <height>29</height>
     </rect>
    </property>
    <widget class="QMenu" name="menuFile">
@@ -268,6 +268,7 @@
     <addaction name="actionProxyRemotelyAccessible"/>
     <addaction name="actionUseViewerObjectCache"/>
     <addaction name="actionRequestMissingObjects"/>
+    <addaction name="actionProxySSLInsecure"/>
    </widget>
    <addaction name="menuFile"/>
   </widget>
@@ -342,6 +343,17 @@
     <string>Export Log Entries</string>
    </property>
   </action>
+  <action name="actionProxySSLInsecure">
+   <property name="checkable">
+    <bool>true</bool>
+   </property>
+   <property name="text">
+    <string>Allow Insecure SSL Connections</string>
+   </property>
+   <property name="toolTip">
+    <string>Allow invalid SSL certificates from upstream connections</string>
+   </property>
+  </action>
  </widget>
  <resources/>
  <connections/>

hippolyzer/lib/proxy/http_proxy.py

@@ -236,7 +236,7 @@ class SLMITMMaster(mitmproxy.master.Master):
         )
 
 
-def create_proxy_master(host, port, flow_context: HTTPFlowContext):  # pragma: no cover
+def create_http_proxy(host, port, flow_context: HTTPFlowContext, ssl_insecure=False):  # pragma: no cover
     opts = mitmproxy.options.Options()
     master = SLMITMMaster(flow_context, opts)
 
@@ -251,10 +251,6 @@ def create_proxy_master(host, port, flow_context: HTTPFlowContext):  # pragma: n
         ssl_verify_upstream_trusted_ca=ca_bundle,
         listen_host=host,
         listen_port=port,
+        ssl_insecure=ssl_insecure,
     )
     return master
-
-
-def create_http_proxy(bind_host, port, flow_context: HTTPFlowContext):  # pragma: no cover
-    master = create_proxy_master(bind_host, port, flow_context)
-    return master

hippolyzer/lib/proxy/settings.py

@@ -35,3 +35,4 @@ class ProxySettings(Settings):
     AUTOMATICALLY_REQUEST_MISSING_OBJECTS: bool = SettingDescriptor(False)
     ADDON_SCRIPTS: List[str] = SettingDescriptor(list)
     FILTERS: Dict[str, str] = SettingDescriptor(dict)
+    SSL_INSECURE: bool = SettingDescriptor(False)