-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rely on urllib3 hostname matching for HTTPS proxy validation. #2407
Rely on urllib3 hostname matching for HTTPS proxy validation. #2407
Conversation
Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
Codecov Report
@@ Coverage Diff @@
## 1.26.x #2407 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 25 25
Lines 2313 2322 +9
=========================================
+ Hits 2313 2322 +9
Continue to review full report at Codecov.
|
@sethmlarson The 1.26.x required checks appear to be messed up again. :/
We haven't ported the CVE-2021-28363 fix to the main branch yet. It's harder than on 1.26.x because we want to lean on SSLContext to perform hostname matching. This is tracked in #2190. (If you want to work on it, it would be nice, but you certainly don't have to!)
I don't think they are needed, and in any case we shouldn't worry about them in this PR which is about fixing the IP use case. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great, thanks! Can you please remove your TODO and update CHANGES.rst?
Closing/reopening to see if the Windows 2.7 failure was transient or not. Edit: it was! |
Out of curiosity, how easy would it be to have something like dummyserver/https_proxy.py in order to test this? After all, this works in tests. |
@pquentin is there anything I can do to help get this in? I also have the exact problem that is being fixed here. |
@achapkowski Nothing specific, I expect this to land soon, then we'll see if it warrants a release or not. This definitely impacts a few users! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for putting this together @jalopezsilva, here are some review comments for you:
This should be super easy and a good way for everyone to be able to tests changes with HTTPS proxies. I'll create a separate PR for this :) |
* Added CHANGES.rst. * Removed TODO. * Added getattr on the proxy is verified check. * Improved assertions around warnings.
I addressed most of the review comments. @sethmlarson, I did run into a bug while verifying the cert with the IPv6 proxy address. It's the bug that #2241 is attempting to fix essentially. Should we merge this first and then tackle that one separately? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you for this!! Let's merge this first then tackle IPv6 separately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
This PR aims to fix issue #2400. On that issue we discovered that if you attempt to do an HTTPS proxy connection to fetch an HTTPS website with a proxy that uses an IP address we won't validate its hostname correctly and we'll throw an error when we call
wrap_socket
.The issue is caused by the fact that 1) HTTPS proxy validation relies on
SSLContext.check_hostname
for its hostname validation. 2) IP addresses can't be used as an SNI hint so we don't pass them along withserver_hostname
. The end result is thatSSLContext
throws on thewrap_socket
call as it requires aserver_hostname
to be set ifcheck_hostname
is True.To address that, I'm switching over HTTPS proxy hostname validation to use urllib3's default validation.
Couple of items worth discussing:
1.26.x
to make it easier. Once merged, I'll create an equivalent PR to merge the changes intomain
too.assert_proxy_fingerprint
orassert_proxy_hostname
options. We can discuss if we think they are needed.