diff --git a/proxy/http/client.py b/proxy/http/client.py index 67a87fa46c..2537dc596f 100644 --- a/proxy/http/client.py +++ b/proxy/http/client.py @@ -11,9 +11,14 @@ import ssl from typing import Optional +import certifi + from .parser import HttpParser, httpParserTypes +from ..common.types import TcpOrTlsSocket from ..common.utils import build_http_request, new_socket_connection -from ..common.constants import HTTPS_PROTO, DEFAULT_TIMEOUT +from ..common.constants import ( + HTTPS_PROTO, DEFAULT_TIMEOUT, DEFAULT_SSL_CONTEXT_OPTIONS, +) def client( @@ -41,18 +46,18 @@ def client( conn = new_socket_connection((host.decode(), port)) except ConnectionRefusedError: return None - try: - sock = ( - ssl.wrap_socket(sock=conn, ssl_version=ssl.PROTOCOL_TLSv1_2) - if scheme == HTTPS_PROTO - else conn - ) - except Exception: - conn.close() - return None - parser = HttpParser( - httpParserTypes.RESPONSE_PARSER, - ) + sock: TcpOrTlsSocket = conn + if scheme == HTTPS_PROTO: + try: + ctx = ssl.SSLContext(protocol=(ssl.PROTOCOL_TLS_CLIENT)) + ctx.options |= DEFAULT_SSL_CONTEXT_OPTIONS + ctx.verify_mode = ssl.CERT_REQUIRED + ctx.load_verify_locations(cafile=certifi.where()) + sock = ctx.wrap_socket(conn, server_hostname=host.decode()) + except Exception: + conn.close() + return None + parser = HttpParser(httpParserTypes.RESPONSE_PARSER) sock.settimeout(timeout) try: sock.sendall(request)