New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS-in-TLS not working with IP proxies #2400
Comments
TLS-in-TLS proxy support was added in urllib3 v1.26.0, could you upgrade and try again? |
I tried with version
$ poetry show
[...]
urllib3 1.26.6 HTTP library with thread-safe connection pooling, file post, and more. |
Is there any way to get some log related to the TLS certificate processing from urllib3 ? |
Are you connecting to your proxy using an IP address? |
Yes, I'm using the following format |
Congratulations, you just found a bug! We send SNI even though we should not when the proxy is an IP. (That's what the error message says.) A workaround would be to use an hostname if you have one or just stop using TLS-in-TLS. (This has nothing to do with basic authentication.) |
Oh thank you :-( Well I will wait for an update :-D |
Hi there, I'm currently working on a project that relies on a vulnerability fixed in v1.26.5, but this issue keeps me from using our proxies correctly. I have a deadline to meet this week, and was wondering if there is an estimated release that fixes this bug, or possibly a workaround? |
@Kcam9908 TLS-in-TLS proxies were added in 1.26.0 and if I'm understanding correctly this issue has always been in the TLS-in-TLS proxies. You should be able to use HTTPS-to-HTTP and HTTP-to-HTTPS proxies which have "always" been available in urllib3 just fine. What I'm saying is you probably aren't "newly" impacted by this issue if you've recently upgraded to 1.26.x? Does this make sense? Let me know if I forgot something. |
No, it is not a new problem, version-wise. All current 1.26.x versions are not working. My team was using an out of date version (1.25.8), and until recently we didn't have to update. We found a vulnerability that required updating, which then broke it. |
Could you share your configuration? There was an unfortunate situation in urllib3 where we never documented support for TLS-in-TLS proxies pre-1.26.0 but trying to use it didn't fail with an error it instead "kinda worked" by doing HTTP on the proxy and HTTPS for the target. Basically your "solution" may be to use a proxy with See #1850 for another explanation, you would have seen this warning if you were using 1.25.9 which is the version that added the warning in preparation for us actually supporting TLS-in-TLS proxying. |
I noticed there was a PR opened. Do you guys have a timeline for when the fix for this issue will be released? My team and I are trying to make a decision moving forward, as it is a critical fix for our product. |
@Kcam9908 Did you read my reply to you directly above? In summary we don't think the issue you're seeing will be resolved by the PR you mentioned.
Your organization might consider sponsoring our development efforts if urllib3 is critical to your business. |
Thanks for the response, I will look into the workaround. For management purposes, could you please let me know when this fix will be released? |
@Kcam9908 There is no set timeline, we'll start the release process when the PR is merged. |
The PR for relying on urllib3's hostname matching logic for verifying proxy certificates is merged. However there's still a bug with IPv6 addresses we'd like to fix before we ship a bugfix release. |
This was fixed in #2419 and released as part of 1.26.7. |
Subject
I'm trying to send a GET HTTP request to an HTTPS website through a secure proxy. The proxy only allows TLS connection with basic authentication.
To achieve this, I use a
ProxyManager
.As result the following exceptions is triggered:
Environment
Steps to Reproduce
You need an HTTPS proxy with basic authentication and an HTTPS website as an example:
Expected Behavior
Website body page as a response.
Actual Behavior
Exception triggered:
The text was updated successfully, but these errors were encountered: