Lean on SSLContext to verify hostnames when possible#2178
Lean on SSLContext to verify hostnames when possible#2178pquentin merged 5 commits intourllib3:mainfrom
Conversation
It won't make a difference in practice, and avoids useless differences.
* The ssl module already avoids SNI when the host is an IP address * pyOpenSSL now does that too * We were already using SNI on IP addresses with SecureTransport anyway In other words, this does not change anything, but is cleaner (we no longer test for SecureTransport in ssl.py) and will allow us to lean on ssl.SSLContext to match hostnames.
Codecov Report
@@ Coverage Diff @@
## main #2178 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 25 25
Lines 2250 2250
=========================================
Hits 2250 2250
Continue to review full report at Codecov.
|
|
Ubuntu build timed out, retrying |
sethmlarson
left a comment
sethmlarson
left a comment
There was a problem hiding this comment.
This is looking pretty good, a few comments for you:
| # We ask for verification here but it may be disabled in HTTPSConnection.connect | ||
| context.check_hostname = cert_reqs == ssl.CERT_REQUIRED | ||
| if hasattr(context, "hostname_checks_common_name"): | ||
| context.hostname_checks_common_name = False # Python 3.7 |
There was a problem hiding this comment.
Should the # Python ... comment be on the if line to cover the whole branch?
There was a problem hiding this comment.
So the intent here is to remind us to remove this when we drop support for Python 3.6 while still making sure it's covered.
Now that I think about it more, the best thing to do is to rely on codecov telling us it's no longer covered when we drop Python 3.6.
| cert_reqs=resolve_cert_reqs(self.cert_reqs), | ||
| ) | ||
| # In some cases, we want to verify hostnames ourselves | ||
| if ( |
There was a problem hiding this comment.
Love how this codifies all the situations where we disable check_hostname so nicely 🤩
We already have way too much public functions
pquentin
force-pushed
the
lean-on-sslcontext
branch
from
ba4d13f to
edb7841
Compare
sethmlarson
left a comment
sethmlarson
left a comment
There was a problem hiding this comment.
I think all review comments are covered here, merge when ready! 🎉
|
Thanks! Merged |
2 participants
Closes #517
There are four situations where we can't lean on SSLContext to verify certs for us:
sslSo, given the preparatory work done in #2176 and #2177, this PR only adds one commit where we just ask the SSL backend to verify the hostname (SecureTransport was already doing it anyway.)
I made sure that invalid hostnames are still rejected with all three SSL backends.