Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

if verify=False needed? #5

Open
sandroden opened this issue Apr 8, 2019 · 4 comments
Open

if verify=False needed? #5

sandroden opened this issue Apr 8, 2019 · 4 comments

Comments

@sandroden
Copy link

Hi,

I have not been able to use this adapter, maybe I just misunderstood the goal, maybe I misused it...
I wanted to use it to test a configuration before the dns is property set in the situation I have proper certificate in place: the same test I would obtain cheating with resolution in /etc/hosts. In this frame I need that verification of th ssl chain is done! that's part of what I want to test.

In your example, you explicitly set it to False. Do I misunderstand what is this adapter intended to do or is impossible to achieve?

Moreover, in the example you write session.get('/some/path', ...) it seems to me that you need to put there an address, while the path, seems to refer to parsed_url.path
@Roadmaster
Copy link
Owner

Hi! The readme says

It does NO certificate verification (which would be pointless)

The reason is that certificate verification will NOT match the originating hostname (because it's a hacked IP).

As for session.get, you don't need an address there because you specified it in the previous line where you do session.mount. What you specify to session.get is a path relative to the address given to session.mount - this is no different from normal Requests usage.

@sandroden
Copy link
Author

hi,

I did read the readme. What puzzles me is that if I change the resolution in /etc/hosts that's a way to get a hacked IP, but in that situation, I can have a correct ssl connection with validation and so on. So I personally don't understand what's different here. I know nothing of how SNI is implemented though. I'd say that no matter how you get the IP (from /etc/hosts or from --force-ip) the rest seems pretty much the same to me.

The idea that certification would be pointless is far from objective. Eg: I like to verify that a setup works before publishing it, that I thought was the use case at the base of this adapter.

As far as the last point, I had errors, and reading requests' documentation:

The mount call registers a specific instance of a Transport Adapter to a prefix. Once mounted, any HTTP request made using that session whose URL starts with the given prefix will use the given Transport Adapter.

so I interpreted as routing mecanism: when this route is used, this adapter is to be used.

@Roadmaster
Copy link
Owner

Hi,

In the situation for which I wrote this, I have no control over /etc/hosts, so that solution didn't work for me.

The point of this adapter is actually to skip errors due to mismatched hostname/certificate (I have other checks for certificate validity), this is why in this context I don't care about validating the certificate itself.

@sandroden
Copy link
Author

BTW: in your example you use
session.get(uri, ...)
in that context uri is certainly not the path... in my opinion the example is correct, the documentation needs to be fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Roadmaster @sandroden