urllib3 · Sep 20, 2019
Showing with 16 additions and 3 deletions.

+8 −0 CHANGES.rst

+1 −1 src/urllib3/__init__.py

+7 −2 src/urllib3/util/ssl_.py
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,14 @@
 Changes
 =======
 
+1.25.5 (2019-09-19)
+-------------------
+
+* Add mitigation for BPO-37428 affecting Python <3.7.4 and OpenSSL 1.1.1+ which
+  caused certificate verification to be enabled when using ``cert_reqs=CERT_NONE``.
+  (Issue #1682)
+
+
 1.25.4 (2019-09-19)
 -------------------
 

diff --git a/src/urllib3/__init__.py b/src/urllib3/__init__.py
@@ -22,7 +22,7 @@
 
 __author__ = "Andrey Petrov (andrey.petrov@shazow.net)"
 __license__ = "MIT"
-__version__ = "1.25.4"
+__version__ = "1.25.5"
 
 __all__ = (
     "HTTPConnectionPool",

diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
@@ -2,6 +2,7 @@
 import errno
 import warnings
 import hmac
+import sys
 
 from binascii import hexlify, unhexlify
 from hashlib import md5, sha1, sha256
@@ -274,8 +275,12 @@ def create_urllib3_context(
     # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is
     # necessary for conditional client cert authentication with TLS 1.3.
     # The attribute is None for OpenSSL <= 1.1.0 or does not exist in older
-    # versions of Python.
-    if getattr(context, "post_handshake_auth", None) is not None:
+    # versions of Python.  We only enable on Python 3.7.4+ or if certificate
+    # verification is enabled to work around Python issue #37428
+    # See: https://bugs.python.org/issue37428
+    if (cert_reqs == ssl.CERT_REQUIRED or sys.version_info >= (3, 7, 4)) and getattr(
+        context, "post_handshake_auth", None
+    ) is not None:
         context.post_handshake_auth = True
 
     context.verify_mode = cert_reqs