Hostname verification Issue w/ Proxies

[dstufft]

pip is getting a report of an issue verifying hostnames (pypa/pip#1905) when using a proxy and @sigmavirus24 suggested this is probably an urllib3 issue.

Here's the information as I have it:

@chrullrich said:

When using a proxy (CONNECT via plain HTTP), pip gets the HTTPS certificate verification wrong. Rather than verifying that the certificate received through the tunnel matches the host at the tunnel's end, it compares it to the proxy itself:

[user@host ~]# pip --proxy proxy.localdoma.in:3128 -v install --upgrade pip
Could not fetch URL https://pypi.python.org/simple/pip/: connection error: hostname 'proxy.localdoma.in' doesn't match either of '*.c.ssl.fastly.net', 'c.ssl.fastly.net', '*.target.com', > '*.vhx.tv', '*.snappytv.com', '*.atlassian.net', 'p [...]

I'm all in favor of securing PyPI, but there should be some testing involved.

@chrullrich said:

The proxy is squid 3.3, and no, I do not have any of the three installed, just plain Python 3.4.1 (amd64) plus pywin32-219.

@chrullrich said:

We do not have any funny business going on, like a transparent proxy configured to do SSL MITM with invented certificates.

@chrullrich said:

Python 3.4.1 (v3.4.1:c0e311e010fc, May 18 2014, 10:45:13) [MSC v.1600 64 bit (AMD64)] on win32

I left out a few things which I don't believe is relevant to urllib3, but it's on the original pip ticket if you want to see it.

[Lukasa]

So, here's a fun fact: Python 3.4 does its own cert verification. I wonder if that's where the problem is.

[shazow]

So, here's a fun fact: Python 3.4 does its own cert verification. I wonder if that's where the problem is.

TIL.

[Lukasa]

=) I wonder if we can narrow it down to a Python 3.4 vs earlier Pythons issue.

[dstufft]

Uhh, does 3.4 really do it's own cert validation by default? I didn't think Python 3.4 did that?

[chrullrich]

I have both 3.3 and 3.4 on that machine. On it ...

(Update: Even if it did, it would not see the one coming out of the tunnel, so I doubt that's the reason. Checking anyway ...)

[Lukasa]

I acknowledge that I may have confused Pythons. There's too many SSL libraries in my life right now. Let me check.

[Lukasa]

New plan, I wonder if this is related to #385.

[Lukasa]

In fact I'm quite confident it is.

[Lukasa]

Yup, looks like we don't have the fix for #385 in 2.3.0.

[Lukasa]

Doubt this is urllib3's fault, suspect this is requests not being fully up to date. We should try to push out a point release I think.

[dstufft]

lol Whoops

[chrullrich]

I know you're all going to kill me now, but I just noticed I had the wrong machine. The one the problem is on has pip 1.5.4.

[dstufft]

Does it work if you upgrade to 1.5.6?

[chrullrich]

Yes, of course. I apologize for the noise ...

[dstufft]

No Worries! Closing this.

[shazow]

Self-resolving issues are my favourite. Thanks everyone. :)