DeprecationWarning forurllib3.contrib.pyopenssl

[yonting]

I am getting a DeprecationWarning from urllib3 as described here: urllib3/urllib3#2691. Is it possible to fix this?

On a related note, are there plans to allow urllib3>=2.0.0?

[vog]

Any pull request making requests_pkcs2 work with urllib3 2.x is welcome - or just testing whether just removing that restriction in setup.py is already sufficient. If you succeed, please file a pull request for that change.

Having said that, the urllib3 stuff is a leftover from the Python2 compatible implementation. If there is a way to implement this via Python3's plain urllib, it'd be even happier. Here, again, any pull request is welcome.

[yonting]

I'll try make a PR, but I'm sure no expert in this area.

What if we change this line

requests_pkcs12/requests_pkcs12.py

Line 106 in 473bf08

self.ssl_context = create_pyopenssl_sslcontext(pkcs12_data, pkcs12_password_bytes, ssl_protocol)

to use create_ssl_sslcontext instead. Then delete create_pyopenssl_sslcontext and remove all dependency on urllib3 and pyopenssl?

Or is there a reason we need to use pyopenssl or provide that option?

[yonting]

I made a PR to allow urllib3<2.1. I can make one to remove it entirely if you agree that is all fine.

[vog]

Sorry for the late response.

I believe that your proposal:

to use create_ssl_sslcontext instead. Then delete create_pyopenssl_sslcontext and remove all dependency on urllib3 and pyopenssl?

is the way to go. It doesn't make sense to support cryptography and pyOpenSSL at the same time. Along the way, it would be great if you could rename

create_ssl_sslcontext

to

create_sslcontext

as well.

[vog]

Thanks for your contribution! We just released version 1.16 which contains your improvement:

https://pypi.org/project/requests-pkcs12/

[vog]

Our solution appears to have an unintended side effect, see #44.

[bobleckelibm]

Could be wrong, but is it possible that this change also had the side affect of no longer allowing verify=False? (Caveat, I know that verify=False is a bad idea... We require it for internal use)

This is the error that we get with verify=False:

Cannot set verify_mode to CERT_NONE when check_hostname is enabled.

[yonting]

Could be wrong, but is it possible that this change also had the side affect of no longer allowing verify=False? (Caveat, I know that verify=False is a bad idea... We require it for internal use)

This is the error that we get with verify=False:

Cannot set verify_mode to CERT_NONE when check_hostname is enabled.

I am seeing the same problem. I do not know how to make a fix for this. You can change ssl_protocol, so Pkcs12Adapter(..., ssl_protocol=ssl.PROTOCOL_SSLv23), maybe, but ssl.PROTOCOL_SSLv23 is deprecated.