Skip to content

Fix HTTPS connection when host is an IP address #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 19, 2022
Merged

Fix HTTPS connection when host is an IP address #81

merged 2 commits into from
Apr 19, 2022

Conversation

@pquentin
Copy link
Member

@pquentin pquentin commented Apr 15, 2022

Closes elastic/elasticsearch-py#1958

While it looks like it might be possible to use an IP address in a certificate, I've never seen it used and it's explicitly forbidden for SNI (RFC 3546, Section 3.1). Additionally, server_hostname is not set in urllib3 when the host is an IP, which raises an exception in the ssl standard module.

The main majority of the new code comes from urllib3. I could have used urllib3.util.ssl_.is_ip_address directly but thought that was rude!

sethmlarson
sethmlarson reviewed Apr 15, 2022
View reviewed changes
Copy link
Contributor

@sethmlarson sethmlarson left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks excellent, thanks! One thing I'd like is if we could test this new behavior with all the HTTP node classes since the issue didn't show up until we did that. Would be good to make sure warnings aren't being emitted too. Maybe using pytest-httpserver+trustme serving on 127.0.0.1?

@pquentin
Copy link
Member Author

pquentin commented Apr 19, 2022

Thanks, I've did just that. This clarified that IP addresses certificates are perfectly fine, however we need to make sure that check_hostname is not set.

This is quite a low-level concern and it's unfortunate that we need to worry about it here, but I don't think there's any way around this as long as we create our own SSLContext. If we had another API to set the SSL version and disable verification, we would not need this PR.

sethmlarson
sethmlarson approved these changes Apr 19, 2022
View reviewed changes
Copy link
Contributor

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is excellent, thank you for this! :shipit:

@sethmlarson sethmlarson merged commit b55f091 into elastic:main Apr 19, 2022
This was referenced Apr 19, 2022
Merged
Merged
@pquentin pquentin deleted the 2022-04-15-check-hostname-ip-address branch May 9, 2022 05:27
@pquentin pquentin mentioned this pull request May 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sethmlarson sethmlarson sethmlarson approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport 8.1 backport 8.2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Error "ValueError: check_hostname requires server_hostname"

2 participants

@pquentin @sethmlarson