If the server certificate exists but the proxy certificate is missing no
TLS connection to the client was established at all (only an unencrypted
connection). Now use the "invalid" certificate to send the message to
the client as it should be.
+ /* Check that the proxy certificate file exists and is readable for this
+ * domain. This ensures we send an "invalid" certificate even if the proxy
+ * certificate doesn't exist. */
+ if (0 != proxy_certificate_path(hostname, path, sizeof(path))) {
+ return -1;
+ }
+ file = fopen(path, "r");
+ if (NULL == file) {
+ LOG(LOG_WARNING,
+ "verify_tls_connection(): proxy certificate doesn't exist: '%s'",
+ path);
+ return -1;
+ }
+ fclose(file);
+
test_proxy_successful
test_invalid_certificate
test_proxy_successful
test_invalid_certificate
+echo missing proxy certificate
+mv certificate-localhost-proxy.pem .pem
+client localhost 4712 invalid || abort
+mv .pem certificate-localhost-proxy.pem
+test_proxy_successful
+test_invalid_certificate
+
echo normal connection
# 'localhost' is the CN of tlsproxy's certificate.
client localhost 4712 localhost || abort
echo normal connection
# 'localhost' is the CN of tlsproxy's certificate.
client localhost 4712 localhost || abort
test_proxy_successful
test_invalid_certificate
test_proxy_successful
test_invalid_certificate
+echo mitm missing proxy certificate
+mv certificate-localhost-proxy.pem .pem
+client localhost 4712 invalid || abort
+mv .pem certificate-localhost-proxy.pem
+test_proxy_successful
+test_invalid_certificate
+
echo mitm normal connection
client localhost 4712 invalid || abort
test_proxy_successful
echo mitm normal connection
client localhost 4712 invalid || abort
test_proxy_successful
test_proxy_successful
test_invalid_certificate
test_proxy_successful
test_invalid_certificate
+echo missing proxy certificate
+mv certificate-localhost-proxy.pem .pem
+# "invalid" to prevent user error if the proxy certificate gets deleted (but
+# the server certificate is still readable).
+client localhost 4712 invalid || abort
+mv .pem certificate-localhost-proxy.pem
+test_proxy_successful
+test_invalid_certificate
+
echo normal connection
# 'localhost' is the CN of tlsproxy's certificate.
client localhost 4712 localhost || abort
echo normal connection
# 'localhost' is the CN of tlsproxy's certificate.
client localhost 4712 localhost || abort
test_proxy_successful
test_invalid_certificate
test_proxy_successful
test_invalid_certificate
+echo mitm missing proxy certificate
+mv certificate-localhost-proxy.pem .pem
+# "invalid" to prevent user error if the proxy certificate gets deleted (but
+# the server certificate is still readable).
+client localhost 4712 invalid || abort
+mv .pem certificate-localhost-proxy.pem
+test_proxy_successful
+test_invalid_certificate
+
echo mitm normal connection
client localhost 4712 invalid || abort
test_proxy_successful
echo mitm normal connection
client localhost 4712 invalid || abort
test_proxy_successful