Skip to content

Commit 7c7b561

Browse files
committed
enable client authentication between client and proxy server
1 parent 2e9c822 commit 7c7b561

File tree

2 files changed

+28
-1
lines changed

2 files changed

+28
-1
lines changed

my_certs/readme.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
1. use openssl to generate certificate and private for proxy server and client
2+
3+
openssl req -nodes -x509 -newkey rsa:4096 -keyout client-key.pem -out client-cert.pem -days 365
4+
openssl req -nodes -x509 -newkey rsa:4096 -keyout server-key.pem -out server-cert.pem -days 365
5+
6+
note:
7+
I'm setting up a local proxy for test, so make sure when generating certs and keys, the fqdn matches the ip of the proxy/client, other certificates won't work
8+
9+
2. update code in utils.py.wrap_socket to enable client side authentication
10+
11+
ctx.verify_mode = ssl.CERT_REQUIRED
12+
client_ca_cert_path = r"D:\Projects\proxy.py\my_certs\client-cert.pem" # client cert path
13+
logging.warning('I am loading utlis.wrap_socket')
14+
ctx.load_verify_locations(cafile=client_ca_cert_path)
15+
16+
3. start the proxy server with the following command
17+
18+
proxy --hostname 192.168.1.4 --cert-file .\proxy.py\my_certs\server-cert.pem --key-file .\proxy.py\my_certs\server-key.pem --ca-cert-file .\proxy.py\my_certs\client-cert.pem
19+
20+
4. run the curl command to verify
21+
22+
curl -x https://192.168.1.4:8899 --proxy-cacert ./proxy.py/my_certs/server-cert.pem --proxy-cert ./proxy.py/my_certs/client-cert.pem --proxy-key ./proxy.py/my_certs/client-key.pem https://httpbin.org/get

proxy/common/utils.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
import functools
1414
import ipaddress
1515
import socket
16+
import logging
1617

1718
from types import TracebackType
1819
from typing import Optional, Dict, Any, List, Tuple, Type, Callable
@@ -156,10 +157,14 @@ def wrap_socket(conn: socket.socket, keyfile: str,
156157
ctx = ssl.create_default_context(
157158
ssl.Purpose.CLIENT_AUTH)
158159
ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
159-
ctx.verify_mode = ssl.CERT_NONE
160+
ctx.verify_mode = ssl.CERT_REQUIRED
161+
client_ca_cert_path = r"D:\Projects\proxy.py\my_certs\client-cert.pem"
162+
logging.warning('I am loading utlis.wrap_socket')
163+
ctx.load_verify_locations(cafile=client_ca_cert_path)
160164
ctx.load_cert_chain(
161165
certfile=certfile,
162166
keyfile=keyfile)
167+
logging.warning('I am in utlis.wrap_socket')
163168
return ctx.wrap_socket(
164169
conn,
165170
server_side=True,

0 commit comments

Comments
 (0)