TLSAdapter bugfixes #96
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Python [1] and urllib3 [2] honor this environment variable by default, but because we're setting our own ssl_context, we don't get that behavior out of the box. SSLKEYLOGFILE support is very handy for debugging authentication problems through a network capture. [1]: https://github.com/python/cpython/blob/c053d52edd1e05ccc339e380b705749a3240d645/Lib/ssl.py#L725-L728 [2]: https://github.com/urllib3/urllib3/blob/b7c2910a9f49ba0d58c8d4381500c208f9a24765/src/urllib3/util/ssl_.py#L344-L349
the --no-verify flag has been broken since Python 3.4 when it is used together with --allow-insecure-ciphers. this is because setting cert_mode to NONE now requires previously setting check_hostname to False [1]. again, urllib3 normally takes care of this [2], but because we set our own ssl_context, we need to replicate this logic. [1]: python/cpython@1aa9a75#diff-89879be484d86da4e77c90d5408b2e10190ee27cc86337cd0f8efc3520d60621R2237-R2242 [2]: https://github.com/urllib3/urllib3/blob/b7c2910a9f49ba0d58c8d4381500c208f9a24765/src/urllib3/util/ssl_.py#L327-L337
mildsunrise
force-pushed
the
fix-tlsadapter
branch
from
b88283a to
a78357e
Compare
|
Thank you @mildsunrise, this is great. I believe a78357e will also fix #83. For a (partial) explanation of why getting all of the TLS tweaks right in |
dlenski
reviewed
Apr 17, 2024
|
yeah, it's frustrating that we can't make webkitgtk use python's TLS stack... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
when the
--allow-insecure-ciphersoption is used, we register our own HTTPAdapter which overrides thessl_contextused by connections.we need to do this in order to control the options and ciphers, but this bypasses the urllib3's
create_urllib3_contextlogic, which leads to some features not working when--allow-insecure-ciphersis in place.this PR replicates some of that logic to fix it; see each commit for explanation and references.