cert_passphrase has no effect when declared in config.yaml #6014

Puliyo · 2023-03-26T02:59:30Z

Problem Description

The ca file is encrypted (pkcs8).

$ cat certs/mitmproxy-ca.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
...

Declare cert_passphrase in config.yaml

$ cat certs/config.yaml
cert_passphrase: abcde

Run specifying the cert and yaml using "confdir" -> Fails

$ mitmdump -s test_addon.py --set confdir=./certs
[02:47:59.289] Addon error: Traceback (most recent call last):
  File "/home/ubuntu/venv/lib/python3.10/site-packages/mitmproxy/addons/tlsconfig.py", line 308, in configure
    self.certstore = certs.CertStore.from_store(
  File "/home/ubuntu/venv/lib/python3.10/site-packages/mitmproxy/certs.py", line 359, in from_store
    return cls.from_files(ca_file, dhparam_file, passphrase)
  File "/home/ubuntu/venv/lib/python3.10/site-packages/mitmproxy/certs.py", line 366, in from_files
    key = load_pem_private_key(raw, passphrase)
  File "/home/ubuntu/venv/lib/python3.10/site-packages/mitmproxy/certs.py", line 532, in load_pem_private_key
    return serialization.load_pem_private_key(data, password)  # type: ignore
  File "/home/ubuntu/venv/lib/python3.10/site-packages/cryptography/hazmat/primitives/serialization/base.py", line 22, in load_pem_private_key
    return ossl.load_pem_private_key(data, password)
  File "/home/ubuntu/venv/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 921, in load_pem_private_key
    return self._load_key(
  File "/home/ubuntu/venv/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1179, in _load_key
    raise TypeError(
TypeError: Password was not given but private key is encrypted

Remove cert_passphrase from config.yaml and include in options -> Works

$ mitmdump -s test_addon.py --set cert_passphrase="abcde" --set confdir=./certs
[02:57:59.102] Loading script test_addon.py
[02:57:59.138] HTTP(S) proxy listening at *:8080.

System Information

$ mitmproxy --version
Mitmproxy: 9.0.1
Python:    3.10.6
OpenSSL:   OpenSSL 3.0.7 1 Nov 2022
Platform:  Linux-5.15.0-1027-oracle-aarch64-with-glibc2.35

The text was updated successfully, but these errors were encountered:

Prinzhorn · 2023-03-26T07:40:41Z

Before digging into this, are you sure mitmdump -s test_addon.py --set cert_passphrase="abcde" is accessing the same cert? Because you didn't specify confdir, so this might just look like it's working, because it doesn't load the same cert as the other command? Although the error message is pretty clear.

Puliyo · 2023-03-26T13:42:34Z

My bad. Running mitmdump as part of something and accidentally removed confdir while simplifying.
I'm very certain the two runs are accessing the same cert.
I will edit the description.

mhils · 2023-03-26T17:32:18Z

This needs an example certificate to be reproducible.

Puliyo · 2023-03-27T00:37:19Z

Here's the example encrypted mitmproxy-ca.pem I just generated. Password is "abcde".

mhils · 2023-03-31T21:07:13Z

Thanks, very useful! The problem here is the order of operations: We first set condir, which triggers both loading config.yaml and loading $confdir/mitmproxy-ca.pem. The second operation then already crashes before we have a chance to include the passphrase from config.yaml.

Puliyo added the kind/triage Unclassified issues label Mar 26, 2023

wesolowski-gh added a commit to wesolowski-gh/mitmproxy that referenced this issue Apr 2, 2023

Load config files from proper dir. Fixes mitmproxy#6014

4729c91

wesolowski-gh added a commit to wesolowski-gh/mitmproxy that referenced this issue Apr 2, 2023

Load config files from proper dir. Fixes mitmproxy#6014

e82b04b

wesolowski-gh added a commit to wesolowski-gh/mitmproxy that referenced this issue Apr 2, 2023

Load config files before applying cmdargs options. Fixes mitmproxy#6014

3a886af

wesolowski-gh added a commit to wesolowski-gh/mitmproxy that referenced this issue Apr 2, 2023

Load config files before applying cmdargs options. Fixes mitmproxy#6014

3673ab7

wesolowski-gh linked a pull request Apr 2, 2023 that will close this issue

Load config files before applying cmdargs options. Fixes #6014 #6043

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cert_passphrase has no effect when declared in config.yaml #6014

cert_passphrase has no effect when declared in config.yaml #6014

Puliyo commented Mar 26, 2023 •

edited

Prinzhorn commented Mar 26, 2023 •

edited

Puliyo commented Mar 26, 2023

mhils commented Mar 26, 2023

Puliyo commented Mar 27, 2023

mhils commented Mar 31, 2023

cert_passphrase has no effect when declared in config.yaml #6014

cert_passphrase has no effect when declared in config.yaml #6014

Comments

Puliyo commented Mar 26, 2023 • edited

Problem Description

System Information

Prinzhorn commented Mar 26, 2023 • edited

Puliyo commented Mar 26, 2023

mhils commented Mar 26, 2023

Puliyo commented Mar 27, 2023

mhils commented Mar 31, 2023

Puliyo commented Mar 26, 2023 •

edited

Prinzhorn commented Mar 26, 2023 •

edited