Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lean on SSLContext to verify hostnames when possible #2178

Merged
merged 5 commits into from
Mar 16, 2021

Conversation

pquentin
Copy link
Member

@pquentin pquentin commented Mar 12, 2021

Closes #517

There are four situations where we can't lean on SSLContext to verify certs for us:

  • Python 3.6, where we need our custom code to reject commonName
  • fingerprints and alternate hostnames, as those aren't supported by Python's ssl
  • PyOpenSSL where there's no easy way to check for hostnames

So, given the preparatory work done in #2176 and #2177, this PR only adds one commit where we just ask the SSL backend to verify the hostname (SecureTransport was already doing it anyway.)

I made sure that invalid hostnames are still rejected with all three SSL backends.

It won't make a difference in practice, and avoids useless differences.
 * The ssl module already avoids SNI when the host is an IP address
 * pyOpenSSL now does that too
 * We were already using SNI on IP addresses with SecureTransport anyway

In other words, this does not change anything, but is cleaner (we no
longer test for SecureTransport in ssl.py) and will allow us to lean on
ssl.SSLContext to match hostnames.
@codecov
Copy link

codecov bot commented Mar 12, 2021

Codecov Report

Merging #2178 (a1f46f9) into main (11fecfd) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff            @@
##              main     #2178   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           25        25           
  Lines         2250      2250           
=========================================
  Hits          2250      2250           
Impacted Files Coverage Δ
src/urllib3/connection.py 100.00% <100.00%> (ø)
src/urllib3/response.py 100.00% <100.00%> (ø)
src/urllib3/util/retry.py 100.00% <100.00%> (ø)
src/urllib3/util/ssl_.py 100.00% <100.00%> (ø)
src/urllib3/util/url.py 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 11fecfd...edb7841. Read the comment docs.

@pquentin
Copy link
Member Author

Ubuntu build timed out, retrying

@pquentin pquentin closed this Mar 12, 2021
@pquentin pquentin reopened this Mar 12, 2021
Copy link
Member

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking pretty good, a few comments for you:

# We ask for verification here but it may be disabled in HTTPSConnection.connect
context.check_hostname = cert_reqs == ssl.CERT_REQUIRED
if hasattr(context, "hostname_checks_common_name"):
context.hostname_checks_common_name = False # Python 3.7
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the # Python ... comment be on the if line to cover the whole branch?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the intent here is to remind us to remove this when we drop support for Python 3.6 while still making sure it's covered.

Now that I think about it more, the best thing to do is to rely on codecov telling us it's no longer covered when we drop Python 3.6.

test/with_dummyserver/test_socketlevel.py Show resolved Hide resolved
@@ -362,6 +362,18 @@ def connect(self):
ssl_version=resolve_ssl_version(self.ssl_version),
cert_reqs=resolve_cert_reqs(self.cert_reqs),
)
# In some cases, we want to verify hostnames ourselves
if (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love how this codifies all the situations where we disable check_hostname so nicely 🤩

@pquentin pquentin force-pushed the lean-on-sslcontext branch from ba4d13f to edb7841 Compare March 15, 2021 05:32
Copy link
Member

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think all review comments are covered here, merge when ready! 🎉

@pquentin pquentin merged commit 7f56f2e into urllib3:main Mar 16, 2021
@pquentin
Copy link
Member Author

Thanks! Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Lean on SSLContext to do HTTPS hostname verification
2 participants