enable client authentication between client and proxy server

Author: yunhaoling

my_certs/readme.md

@@ -0,0 +1,22 @@
+1. use openssl to generate certificate and private for proxy server and client
+
+openssl req -nodes -x509 -newkey rsa:4096 -keyout client-key.pem -out client-cert.pem -days 365
+openssl req -nodes -x509 -newkey rsa:4096 -keyout server-key.pem -out server-cert.pem -days 365
+
+note:
+I'm setting up a local proxy for test, so make sure when generating certs and keys, the fqdn matches the ip of the proxy/client, other certificates won't work
+
+2. update code in utils.py.wrap_socket to enable client side authentication
+
+ctx.verify_mode = ssl.CERT_REQUIRED
+client_ca_cert_path = r"D:\Projects\proxy.py\my_certs\client-cert.pem"  # client cert path
+logging.warning('I am loading utlis.wrap_socket')
+ctx.load_verify_locations(cafile=client_ca_cert_path)
+
+3. start the proxy server with the following command
+
+proxy --hostname 192.168.1.4 --cert-file .\proxy.py\my_certs\server-cert.pem --key-file .\proxy.py\my_certs\server-key.pem --ca-cert-file .\proxy.py\my_certs\client-cert.pem
+
+4. run the curl command to verify
+
+curl -x https://192.168.1.4:8899 --proxy-cacert ./proxy.py/my_certs/server-cert.pem --proxy-cert ./proxy.py/my_certs/client-cert.pem --proxy-key ./proxy.py/my_certs/client-key.pem https://httpbin.org/get

proxy/common/utils.py

@@ -13,6 +13,7 @@
 import functools
 import ipaddress
 import socket
+import logging
 
 from types import TracebackType
 from typing import Optional, Dict, Any, List, Tuple, Type, Callable
@@ -156,10 +157,14 @@ def wrap_socket(conn: socket.socket, keyfile: str,
     ctx = ssl.create_default_context(
         ssl.Purpose.CLIENT_AUTH)
     ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
-    ctx.verify_mode = ssl.CERT_NONE
+    ctx.verify_mode = ssl.CERT_REQUIRED
+    client_ca_cert_path = r"D:\Projects\proxy.py\my_certs\client-cert.pem"
+    logging.warning('I am loading utlis.wrap_socket')
+    ctx.load_verify_locations(cafile=client_ca_cert_path)
     ctx.load_cert_chain(
         certfile=certfile,
         keyfile=keyfile)
+    logging.warning('I am in utlis.wrap_socket')
     return ctx.wrap_socket(
         conn,
         server_side=True,