TLS fingerprints (2.1)

[untitaker]

• Write tests
• Wait for allow performing *only* fingerprint verification urllib3/urllib3#444
• Wait for use built-in ssl module (v2) pallets/werkzeug#565 -- use git version
• Wait for kennethreitz/requests#2192 -- worked around it

[untitaker]

Sorry for the spam. So i guess any changes can be filed against this branch.

[untitaker]

Maybe https://pypi.python.org/pypi/pytest-localserver can be used.

[t-8ch]

pytest-localserver depends on pyOpenSSL, are you fine with this?

[untitaker]

I don't care that much about the deps of the testsuite, so i'm fine with that.

On Wed, Aug 20, 2014 at 12:25:13PM -0700, Thomas Weißschuh wrote:

pytest-localserver depends on pyOpenSSL, are you fine with this?

---

Reply to this email directly or view it on GitHub:
#106 (comment)

[untitaker]

@t-8ch Should i add you as a collaborator so you can push directly to this? (Please don't merge yet though)

[t-8ch]

@untitaker It turns out, that the current fingerprint logic only checks fingerprints if it also validates the certficate itself (If it is trusted by a CA, not if the name matches, which is rather broken).
This has to be fixed in urllib3 and pulled into requests... I'll prepare a pull there.

[untitaker]

@t-8ch I added you as a collaborator.

I'd like to make this work regardless of the version of requests installed. If you have created a PR for requests, please post here then.

[t-8ch]

Blocked on urllib3/urllib3#444

[untitaker]

So the end user has to set verify to None and tls_fingerprint to something? Is setting verify to True and also setting tls_fingerprint still an option?

[untitaker]

I renamed this to verify_fingerprint because i think the name shows better that these params are related.

[t-8ch]

currently verify=None also disables fingerprint verification.
settings verify_fingerprint verifies the fingerprint instead of the hostname.
The certificate still needs to be trusted by a CA in the trust chain.
This is rather broken, hence the PR to urllib3

[untitaker]

I mean, assuming we are running a urllib3 version with your PR merged.

[t-8ch]

Yes, then you would set verify=None and verify_fingerprint=abc. We could also set verify=None when we get an fingerprint

[untitaker]

We could also set verify=None when we get an fingerprint

I'd rather keep as strict defaults as possible.

[untitaker]

I added some tests, but they fail on my machine. I am able to start a local server using the CLI of pytest-localserver and get some SSLErrors through manual testing, but in the test env requests seems to be happy with the certificate. I don't see any indication that the pytest plugin monkeypatches requests for cert verification.

[t-8ch]

I confused verify=None with verify=False in my posts. At the moment verify=False also disables fingerprint verification.

[untitaker]

My fault -- a different test didn't properly clean up after monkeypatching.

[t-8ch]

The issue in urllib3 has been fixed and released in requests 2.4.0. We can depend on the old version of werkzeug requiring pyopenssl and later switch to the new one.

[t-8ch]

The testsuite is now blocked on kennethreitz/requests#2192

[untitaker]

We can't depend on a old version of Werkzeug, neither work with Py3.

[untitaker]

Ah nvm i see you already commited something. Well, that's a solution too.

[untitaker]

Actually i fixed the issue with requests by simply catching more errors: vdirsyncer/owncloud-testserver@6499b76

[untitaker]

Is there anything stopping this PR now?

[t-8ch]