-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Ensure PyOpenSSLContext.load_verify_locations raises ssl.SSLError #1517
WIP: Ensure PyOpenSSLContext.load_verify_locations raises ssl.SSLError #1517
Conversation
It allows ssl_wrap_socket to catch this ssl.SSLError which is a subclass of built-in IOError, then urllib3.exceptions.SSLError will be raised.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for opening this! I have a few review comments below to address before we can merge this.
test/contrib/test_pyopenssl.py
Outdated
@@ -84,3 +87,14 @@ def test_get_subj_alt_name(self, mock_warning): | |||
self.assertEqual(mock_warning.call_count, 1) | |||
self.assertIsInstance(mock_warning.call_args[0][1], | |||
x509.DuplicateExtension) | |||
|
|||
class TestPyOpenSSLException(unittest.TestCase): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add this testcase to TestClientCerts
to ensure it's run against all SSLContext implementations.
test/contrib/test_pyopenssl.py
Outdated
class TestPyOpenSSLException(unittest.TestCase): | ||
def test_load_verify_locations_exception(self): | ||
""" | ||
Ensure PyOpenSSLContext.load_verify_locations raises ssl.SSLError, which is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This docstring will have to be modified to be generic.
self._ctx.load_verify_locations(cafile, capath) | ||
if cadata is not None: | ||
self._ctx.load_verify_locations(BytesIO(cadata)) | ||
try: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may have to add this change to the SecureTransport SSLContext
implementation as well. We also need a CHANGES.rst
entry saying that all SSLContext.load_verify_locations()
implementations raise urllib3.exceptions.SSLError
on a failure.
Codecov Report
@@ Coverage Diff @@
## master #1517 +/- ##
==========================================
+ Coverage 64.68% 64.72% +0.03%
==========================================
Files 22 22
Lines 2897 2897
==========================================
+ Hits 1874 1875 +1
+ Misses 1023 1022 -1
Continue to review full report at Codecov.
|
Without this patch, an
OpenSSL.SSL.Error
is raised whenPyOpenSSLContext.load_verify_locations
fails:With this patch, an
ssl.SSLError
is raised, in the same waydo_handshake
errors are handled:then:
ssl.SSLError
is caught byssl_wrap_socket
urllib3.exceptions.SSLError
error is raisedpython -c "import requests, os; requests.get('https://github.com', verify=os.devnull)"
)