Skip to content

Commit

Permalink
Downgrade to urllib3 version 1.24.2
Browse files Browse the repository at this point in the history 
Downgrade until urllib3 fixes ssl bad handshake issue
  • Loading branch information
@h3llrais3r
h3llrais3r committed Apr 24, 2019
1 parent 0e2b2a9 commit adece9b
Show file tree
Hide file tree
Showing 29 changed files with 246 additions and 3,209 deletions.
3 changes: 2 additions & 1 deletion lib/urllib3/__init__.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
"""
urllib3 - Thread-safe connection pooling and re-using.
"""

from __future__ import absolute_import
import warnings

Expand All @@ -26,7 +27,7 @@

__author__ = 'Andrey Petrov (andrey.petrov@shazow.net)'
__license__ = 'MIT'
__version__ = '1.25'
__version__ = '1.24.2'

__all__ = (
'HTTPConnectionPool',
Expand Down
38 changes: 16 additions & 22 deletions lib/urllib3/connection.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,10 @@ class BaseSSLError(BaseException):
pass


try:
# Python 3: not a no-op, we're adding this to the namespace so it can be imported.
try: # Python 3:
# Not a no-op, we're adding this to the namespace so it can be imported.
ConnectionError = ConnectionError
except NameError:
# Python 2
except NameError: # Python 2:
class ConnectionError(Exception):
pass

Expand Down Expand Up @@ -102,7 +101,7 @@ class HTTPConnection(_HTTPConnection, object):
is_verified = False

def __init__(self, *args, **kw):
if six.PY3:
if six.PY3: # Python 3
kw.pop('strict', None)

# Pre-set source_address.
Expand Down Expand Up @@ -159,7 +158,7 @@ def _new_conn(self):
conn = connection.create_connection(
(self._dns_host, self.port), self.timeout, **extra_kw)

except SocketTimeout:
except SocketTimeout as e:
raise ConnectTimeoutError(
self, "Connection to %s timed out. (connect timeout=%s)" %
(self.host, self.timeout))
Expand All @@ -172,8 +171,7 @@ def _new_conn(self):

def _prepare_conn(self, conn):
self.sock = conn
# Google App Engine's httplib does not define _tunnel_host
if getattr(self, '_tunnel_host', None):
if self._tunnel_host:
# TODO: Fix tunnel so it doesn't depend on self.sock state.
self._tunnel()
# Mark this connection as not reusable
Expand Down Expand Up @@ -228,16 +226,14 @@ class HTTPSConnection(HTTPConnection):
ssl_version = None

def __init__(self, host, port=None, key_file=None, cert_file=None,
key_password=None, strict=None,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
ssl_context=None, server_hostname=None, **kw):

HTTPConnection.__init__(self, host, port, strict=strict,
timeout=timeout, **kw)

self.key_file = key_file
self.cert_file = cert_file
self.key_password = key_password
self.ssl_context = ssl_context
self.server_hostname = server_hostname

Expand All @@ -259,7 +255,6 @@ def connect(self):
sock=conn,
keyfile=self.key_file,
certfile=self.cert_file,
key_password=self.key_password,
ssl_context=self.ssl_context,
server_hostname=self.server_hostname
)
Expand All @@ -277,24 +272,25 @@ class VerifiedHTTPSConnection(HTTPSConnection):
assert_fingerprint = None

def set_cert(self, key_file=None, cert_file=None,
cert_reqs=None, key_password=None, ca_certs=None,
cert_reqs=None, ca_certs=None,
assert_hostname=None, assert_fingerprint=None,
ca_cert_dir=None):
"""
This method should only be called once, before the connection is used.
"""
# If cert_reqs is not provided we'll assume CERT_REQUIRED unless we also
# have an SSLContext object in which case we'll use its verify_mode.
# If cert_reqs is not provided, we can try to guess. If the user gave
# us a cert database, we assume they want to use it: otherwise, if
# they gave us an SSL Context object we should use whatever is set for
# it.
if cert_reqs is None:
if self.ssl_context is not None:
if ca_certs or ca_cert_dir:
cert_reqs = 'CERT_REQUIRED'
elif self.ssl_context is not None:
cert_reqs = self.ssl_context.verify_mode
else:
cert_reqs = resolve_cert_reqs(None)

self.key_file = key_file
self.cert_file = cert_file
self.cert_reqs = cert_reqs
self.key_password = key_password
self.assert_hostname = assert_hostname
self.assert_fingerprint = assert_fingerprint
self.ca_certs = ca_certs and os.path.expanduser(ca_certs)
Expand All @@ -305,8 +301,7 @@ def connect(self):
conn = self._new_conn()
hostname = self.host

# Google App Engine's httplib does not define _tunnel_host
if getattr(self, '_tunnel_host', None):
if self._tunnel_host:
self.sock = conn
# Calls self._set_hostport(), so self.host is
# self._tunnel_host below.
Expand Down Expand Up @@ -343,7 +338,6 @@ def connect(self):
sock=conn,
keyfile=self.key_file,
certfile=self.cert_file,
key_password=self.key_password,
ca_certs=self.ca_certs,
ca_cert_dir=self.ca_cert_dir,
server_hostname=server_hostname,
Expand Down
41 changes: 20 additions & 21 deletions lib/urllib3/connectionpool.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@
from .packages.ssl_match_hostname import CertificateError
from .packages import six
from .packages.six.moves import queue
from .packages.rfc3986.normalizers import normalize_host
from .connection import (
port_by_scheme,
DummyConnection,
Expand Down Expand Up @@ -66,7 +65,7 @@ def __init__(self, host, port=None):
if not host:
raise LocationValueError("No host specified.")

self.host = _normalize_host(host, scheme=self.scheme)
self.host = _ipv6_host(host, self.scheme)
self._proxy_host = host.lower()
self.port = port

Expand Down Expand Up @@ -374,11 +373,9 @@ def _make_request(self, conn, method, url, timeout=_Default, chunked=False,

# Receive the response from the server
try:
try:
# Python 2.7, use buffering of HTTP responses
try: # Python 2.7, use buffering of HTTP responses
httplib_response = conn.getresponse(buffering=True)
except TypeError:
# Python 3
except TypeError: # Python 3
try:
httplib_response = conn.getresponse()
except Exception as e:
Expand Down Expand Up @@ -435,8 +432,8 @@ def is_same_host(self, url):

# TODO: Add optional support for socket.gethostbyname checking.
scheme, host, port = get_host(url)
if host is not None:
host = _normalize_host(host, scheme=scheme)

host = _ipv6_host(host, self.scheme)

# Use explicit default port for comparison when none is given
if self.port and not port:
Expand Down Expand Up @@ -675,7 +672,7 @@ def drain_and_release_conn(response):
# released back to the pool once the entire response is read
response.read()
except (TimeoutError, HTTPException, SocketError, ProtocolError,
BaseSSLError, SSLError):
BaseSSLError, SSLError) as e:
pass

# Handle redirect?
Expand Down Expand Up @@ -749,8 +746,8 @@ class HTTPSConnectionPool(HTTPConnectionPool):
If ``assert_hostname`` is False, no verification is done.
The ``key_file``, ``cert_file``, ``cert_reqs``, ``ca_certs``,
``ca_cert_dir``, ``ssl_version``, ``key_password`` are only used if :mod:`ssl`
is available and are fed into :meth:`urllib3.util.ssl_wrap_socket` to upgrade
``ca_cert_dir``, and ``ssl_version`` are only used if :mod:`ssl` is
available and are fed into :meth:`urllib3.util.ssl_wrap_socket` to upgrade
the connection socket into an SSL socket.
"""

Expand All @@ -762,18 +759,20 @@ def __init__(self, host, port=None,
block=False, headers=None, retries=None,
_proxy=None, _proxy_headers=None,
key_file=None, cert_file=None, cert_reqs=None,
key_password=None, ca_certs=None, ssl_version=None,
ca_certs=None, ssl_version=None,
assert_hostname=None, assert_fingerprint=None,
ca_cert_dir=None, **conn_kw):

HTTPConnectionPool.__init__(self, host, port, strict, timeout, maxsize,
block, headers, retries, _proxy, _proxy_headers,
**conn_kw)

if ca_certs and cert_reqs is None:
cert_reqs = 'CERT_REQUIRED'

self.key_file = key_file
self.cert_file = cert_file
self.cert_reqs = cert_reqs
self.key_password = key_password
self.ca_certs = ca_certs
self.ca_cert_dir = ca_cert_dir
self.ssl_version = ssl_version
Expand All @@ -788,7 +787,6 @@ def _prepare_conn(self, conn):

if isinstance(conn, VerifiedHTTPSConnection):
conn.set_cert(key_file=self.key_file,
key_password=self.key_password,
cert_file=self.cert_file,
cert_reqs=self.cert_reqs,
ca_certs=self.ca_certs,
Expand Down Expand Up @@ -826,9 +824,7 @@ def _new_conn(self):

conn = self.ConnectionCls(host=actual_host, port=actual_port,
timeout=self.timeout.connect_timeout,
strict=self.strict, cert_file=self.cert_file,
key_file=self.key_file, key_password=self.key_password,
**self.conn_kw)
strict=self.strict, **self.conn_kw)

return self._prepare_conn(conn)

Expand Down Expand Up @@ -879,9 +875,9 @@ def connection_from_url(url, **kw):
return HTTPConnectionPool(host, port=port, **kw)


def _normalize_host(host, scheme):
def _ipv6_host(host, scheme):
"""
Normalize hosts for comparisons and use with sockets.
Process IPv6 address literals
"""

# httplib doesn't like it when we include brackets in IPv6 addresses
Expand All @@ -890,8 +886,11 @@ def _normalize_host(host, scheme):
# Instead, we need to make sure we never pass ``None`` as the port.
# However, for backward compatibility reasons we can't actually
# *assert* that. See http://bugs.python.org/issue28539
#
# Also if an IPv6 address literal has a zone identifier, the
# percent sign might be URIencoded, convert it back into ASCII
if host.startswith('[') and host.endswith(']'):
host = host.strip('[]')
host = host.replace('%25', '%').strip('[]')
if scheme in NORMALIZABLE_SCHEMES:
host = normalize_host(host)
host = host.lower()
return host
14 changes: 7 additions & 7 deletions lib/urllib3/contrib/_securetransport/bindings.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -516,8 +516,6 @@ class SecurityConst(object):
kTLSProtocol1 = 4
kTLSProtocol11 = 7
kTLSProtocol12 = 8
kTLSProtocol13 = 10
kTLSProtocolMaxSupported = 999

kSSLClientSide = 1
kSSLStreamType = 0
Expand Down Expand Up @@ -560,27 +558,30 @@ class SecurityConst(object):
errSecInvalidTrustSettings = -25262

# Cipher suites. We only pick the ones our default cipher string allows.
# Source: https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032
TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D
TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C
TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D
Expand All @@ -589,5 +590,4 @@ class SecurityConst(object):
TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F
TLS_AES_128_GCM_SHA256 = 0x1301
TLS_AES_256_GCM_SHA384 = 0x1302
TLS_AES_128_CCM_8_SHA256 = 0x1305
TLS_AES_128_CCM_SHA256 = 0x1304
TLS_CHACHA20_POLY1305_SHA256 = 0x1303
Loading

0 comments on commit adece9b

Please sign in to comment.