Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-urllib3 for openSUSE:Factory
checked in at 2021-11-03 17:25:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3"
Wed Nov 3 17:25:10 2021 rev:48 rq:928316 version:1.26.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes
2021-07-16 22:13:20.054579173 +0200
+++ /work/SRC/openSUSE:Factory/.python-urllib3.new.1890/python-urllib3.changes
2021-11-03 17:25:14.925303845 +0100
@@ -1,0 +2,9 @@
+Tue Oct 26 21:02:38 UTC 2021 - Dirk M??ller <dmuel...@suse.com>
+
+- update to 1.26.7:
+ * Fixed a bug with HTTPS hostname verification involving IP addresses and
lack
+ of SNI.
+ * Fixed a bug where IPv6 braces weren't stripped during certificate hostname
+ matching.
+
+-------------------------------------------------------------------
Old:
----
urllib3-1.26.6.tar.gz
New:
----
urllib3-1.26.7.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3.spec ++++++
--- /var/tmp/diff_new_pack.oRgeki/_old 2021-11-03 17:25:15.537304180 +0100
+++ /var/tmp/diff_new_pack.oRgeki/_new 2021-11-03 17:25:15.537304180 +0100
@@ -27,7 +27,7 @@
%bcond_with test
%endif
Name: python-urllib3%{psuffix}
-Version: 1.26.6
+Version: 1.26.7
Release: 0
Summary: HTTP library with thread-safe connection pooling, file post,
and more
License: MIT
++++++ urllib3-1.26.6.tar.gz -> urllib3-1.26.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/CHANGES.rst
new/urllib3-1.26.7/CHANGES.rst
--- old/urllib3-1.26.6/CHANGES.rst 2021-06-25 15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/CHANGES.rst 2021-09-22 20:00:21.000000000 +0200
@@ -1,6 +1,14 @@
Changes
=======
+1.26.7 (2021-09-22)
+-------------------
+* Fixed a bug with HTTPS hostname verification involving IP addresses and lack
+ of SNI. (Issue #2400)
+* Fixed a bug where IPv6 braces weren't stripped during certificate hostname
+ matching. (Issue #2240)
+
+
1.26.6 (2021-06-25)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/PKG-INFO new/urllib3-1.26.7/PKG-INFO
--- old/urllib3-1.26.6/PKG-INFO 2021-06-25 15:20:57.968305300 +0200
+++ new/urllib3-1.26.7/PKG-INFO 2021-09-22 20:00:56.037445500 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 1.26.6
+Version: 1.26.7
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Home-page: https://urllib3.readthedocs.io/
Author: Andrey Petrov
@@ -143,6 +143,14 @@
Changes
=======
+1.26.7 (2021-09-22)
+-------------------
+* Fixed a bug with HTTPS hostname verification involving IP addresses and lack
+ of SNI. (Issue #2400)
+* Fixed a bug where IPv6 braces weren't stripped during certificate hostname
+ matching. (Issue #2240)
+
+
1.26.6 (2021-06-25)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/_version.py
new/urllib3-1.26.7/src/urllib3/_version.py
--- old/urllib3-1.26.6/src/urllib3/_version.py 2021-06-25 15:20:25.000000000
+0200
+++ new/urllib3-1.26.7/src/urllib3/_version.py 2021-09-22 20:00:21.000000000
+0200
@@ -1,2 +1,2 @@
# This file is protected via CODEOWNERS
-__version__ = "1.26.6"
+__version__ = "1.26.7"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/connection.py
new/urllib3-1.26.7/src/urllib3/connection.py
--- old/urllib3-1.26.6/src/urllib3/connection.py 2021-06-25
15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/src/urllib3/connection.py 2021-09-22
20:00:21.000000000 +0200
@@ -56,6 +56,7 @@
from .util.ssl_ import (
assert_fingerprint,
create_urllib3_context,
+ is_ipaddress,
resolve_cert_reqs,
resolve_ssl_version,
ssl_wrap_socket,
@@ -107,6 +108,10 @@
#: Whether this connection verifies the host's certificate.
is_verified = False
+ #: Whether this proxy connection (if used) verifies the proxy host's
+ #: certificate.
+ proxy_is_verified = None
+
def __init__(self, *args, **kw):
if not six.PY2:
kw.pop("strict", None)
@@ -490,14 +495,10 @@
self.ca_cert_dir,
self.ca_cert_data,
)
- # By default urllib3's SSLContext disables `check_hostname` and uses
- # a custom check. For proxies we're good with relying on the default
- # verification.
- ssl_context.check_hostname = True
# If no cert was provided, use only the default options for server
# certificate validation
- return ssl_wrap_socket(
+ socket = ssl_wrap_socket(
sock=conn,
ca_certs=self.ca_certs,
ca_cert_dir=self.ca_cert_dir,
@@ -506,8 +507,37 @@
ssl_context=ssl_context,
)
+ if ssl_context.verify_mode != ssl.CERT_NONE and not getattr(
+ ssl_context, "check_hostname", False
+ ):
+ # While urllib3 attempts to always turn off hostname matching from
+ # the TLS library, this cannot always be done. So we check whether
+ # the TLS Library still thinks it's matching hostnames.
+ cert = socket.getpeercert()
+ if not cert.get("subjectAltName", ()):
+ warnings.warn(
+ (
+ "Certificate for {0} has no `subjectAltName`, falling
back to check for a "
+ "`commonName` for now. This feature is being removed
by major browsers and "
+ "deprecated by RFC 2818. (See
https://github.com/urllib3/urllib3/issues/497 "
+ "for details.)".format(hostname)
+ ),
+ SubjectAltNameWarning,
+ )
+ _match_hostname(cert, hostname)
+
+ self.proxy_is_verified = ssl_context.verify_mode == ssl.CERT_REQUIRED
+ return socket
+
def _match_hostname(cert, asserted_hostname):
+ # Our upstream implementation of ssl.match_hostname()
+ # only applies this normalization to IP addresses so it doesn't
+ # match DNS SANs so we do the same thing!
+ stripped_hostname = asserted_hostname.strip("u[]")
+ if is_ipaddress(stripped_hostname):
+ asserted_hostname = stripped_hostname
+
try:
match_hostname(cert, asserted_hostname)
except CertificateError as e:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/connectionpool.py
new/urllib3-1.26.7/src/urllib3/connectionpool.py
--- old/urllib3-1.26.6/src/urllib3/connectionpool.py 2021-06-25
15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/src/urllib3/connectionpool.py 2021-09-22
20:00:21.000000000 +0200
@@ -1020,6 +1020,17 @@
InsecureRequestWarning,
)
+ if getattr(conn, "proxy_is_verified", None) is False:
+ warnings.warn(
+ (
+ "Unverified HTTPS connection done to an HTTPS proxy. "
+ "Adding certificate verification is strongly advised. See:
"
+
"https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html";
+ "#ssl-warnings"
+ ),
+ InsecureRequestWarning,
+ )
+
def connection_from_url(url, **kw):
"""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-1.26.6/src/urllib3/contrib/_securetransport/low_level.py
new/urllib3-1.26.7/src/urllib3/contrib/_securetransport/low_level.py
--- old/urllib3-1.26.6/src/urllib3/contrib/_securetransport/low_level.py
2021-06-25 15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/src/urllib3/contrib/_securetransport/low_level.py
2021-09-22 20:00:21.000000000 +0200
@@ -188,6 +188,7 @@
# We only want to do that if an error occurs: otherwise, the caller
# should free.
CoreFoundation.CFRelease(cert_array)
+ raise
return cert_array
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/util/proxy.py
new/urllib3-1.26.7/src/urllib3/util/proxy.py
--- old/urllib3-1.26.6/src/urllib3/util/proxy.py 2021-06-25
15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/src/urllib3/util/proxy.py 2021-09-22
20:00:21.000000000 +0200
@@ -45,6 +45,7 @@
ssl_version=resolve_ssl_version(ssl_version),
cert_reqs=resolve_cert_reqs(cert_reqs),
)
+
if (
not ca_certs
and not ca_cert_dir
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3.egg-info/PKG-INFO
new/urllib3-1.26.7/src/urllib3.egg-info/PKG-INFO
--- old/urllib3-1.26.6/src/urllib3.egg-info/PKG-INFO 2021-06-25
15:20:57.000000000 +0200
+++ new/urllib3-1.26.7/src/urllib3.egg-info/PKG-INFO 2021-09-22
20:00:55.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 1.26.6
+Version: 1.26.7
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Home-page: https://urllib3.readthedocs.io/
Author: Andrey Petrov
@@ -143,6 +143,14 @@
Changes
=======
+1.26.7 (2021-09-22)
+-------------------
+* Fixed a bug with HTTPS hostname verification involving IP addresses and lack
+ of SNI. (Issue #2400)
+* Fixed a bug where IPv6 braces weren't stripped during certificate hostname
+ matching. (Issue #2240)
+
+
1.26.6 (2021-06-25)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/test/conftest.py
new/urllib3-1.26.7/test/conftest.py
--- old/urllib3-1.26.6/test/conftest.py 2021-06-25 15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/test/conftest.py 2021-09-22 20:00:21.000000000 +0200
@@ -11,6 +11,7 @@
from tornado import ioloop, web
from dummyserver.handlers import TestingApp
+from dummyserver.proxy import ProxyHandler
from dummyserver.server import HAS_IPV6, run_tornado_app
from dummyserver.testcase import HTTPSDummyServerTestCase
from urllib3.util import ssl_
@@ -30,16 +31,21 @@
ServerConfig = collections.namedtuple("ServerConfig", ["host", "port",
"ca_certs"])
+def _write_cert_to_dir(cert, tmpdir, file_prefix="server"):
+ cert_path = str(tmpdir / ("%s.pem" % file_prefix))
+ key_path = str(tmpdir / ("%s.key" % file_prefix))
+ cert.private_key_pem.write_to_path(key_path)
+ cert.cert_chain_pems[0].write_to_path(cert_path)
+ certs = {"keyfile": key_path, "certfile": cert_path}
+ return certs
+
+
@contextlib.contextmanager
def run_server_in_thread(scheme, host, tmpdir, ca, server_cert):
ca_cert_path = str(tmpdir / "ca.pem")
- server_cert_path = str(tmpdir / "server.pem")
- server_key_path = str(tmpdir / "server.key")
ca.cert_pem.write_to_path(ca_cert_path)
- server_cert.private_key_pem.write_to_path(server_key_path)
- server_cert.cert_chain_pems[0].write_to_path(server_cert_path)
- server_certs = {"keyfile": server_key_path, "certfile": server_cert_path}
+ server_certs = _write_cert_to_dir(server_cert, tmpdir)
io_loop = ioloop.IOLoop.current()
app = web.Application([(r".*", TestingApp)])
server, port = run_tornado_app(app, io_loop, server_certs, scheme, host)
@@ -53,6 +59,39 @@
server_thread.join()
+@contextlib.contextmanager
+def run_server_and_proxy_in_thread(
+ proxy_scheme, proxy_host, tmpdir, ca, proxy_cert, server_cert
+):
+ ca_cert_path = str(tmpdir / "ca.pem")
+ ca.cert_pem.write_to_path(ca_cert_path)
+
+ server_certs = _write_cert_to_dir(server_cert, tmpdir)
+ proxy_certs = _write_cert_to_dir(proxy_cert, tmpdir, "proxy")
+
+ io_loop = ioloop.IOLoop.current()
+ server = web.Application([(r".*", TestingApp)])
+ server, port = run_tornado_app(server, io_loop, server_certs, "https",
"localhost")
+ server_config = ServerConfig("localhost", port, ca_cert_path)
+
+ proxy = web.Application([(r".*", ProxyHandler)])
+ proxy_app, proxy_port = run_tornado_app(
+ proxy, io_loop, proxy_certs, proxy_scheme, proxy_host
+ )
+ proxy_config = ServerConfig(proxy_host, proxy_port, ca_cert_path)
+
+ server_thread = threading.Thread(target=io_loop.start)
+ server_thread.start()
+
+ yield (proxy_config, server_config)
+
+ io_loop.add_callback(server.stop)
+ io_loop.add_callback(proxy_app.stop)
+ io_loop.add_callback(io_loop.stop)
+
+ server_thread.join()
+
+
@pytest.fixture
def no_san_server(tmp_path_factory):
tmpdir = tmp_path_factory.mktemp("certs")
@@ -65,6 +104,20 @@
@pytest.fixture
+def no_san_proxy(tmp_path_factory):
+ tmpdir = tmp_path_factory.mktemp("certs")
+ ca = trustme.CA()
+ # only common name, no subject alternative names
+ proxy_cert = ca.issue_cert(common_name=u"localhost")
+ server_cert = ca.issue_cert(u"localhost")
+
+ with run_server_and_proxy_in_thread(
+ "https", "localhost", tmpdir, ca, proxy_cert, server_cert
+ ) as cfg:
+ yield cfg
+
+
+@pytest.fixture
def no_localhost_san_server(tmp_path_factory):
tmpdir = tmp_path_factory.mktemp("certs")
ca = trustme.CA()
@@ -76,7 +129,37 @@
@pytest.fixture
-def ip_san_server(tmp_path_factory):
+def ipv4_san_proxy(tmp_path_factory):
+ tmpdir = tmp_path_factory.mktemp("certs")
+ ca = trustme.CA()
+ # IP address in Subject Alternative Name
+ proxy_cert = ca.issue_cert(u"127.0.0.1")
+
+ server_cert = ca.issue_cert(u"localhost")
+
+ with run_server_and_proxy_in_thread(
+ "https", "127.0.0.1", tmpdir, ca, proxy_cert, server_cert
+ ) as cfg:
+ yield cfg
+
+
+@pytest.fixture
+def ipv6_san_proxy(tmp_path_factory):
+ tmpdir = tmp_path_factory.mktemp("certs")
+ ca = trustme.CA()
+ # IP addresses in Subject Alternative Name
+ proxy_cert = ca.issue_cert(u"::1")
+
+ server_cert = ca.issue_cert(u"localhost")
+
+ with run_server_and_proxy_in_thread(
+ "https", "::1", tmpdir, ca, proxy_cert, server_cert
+ ) as cfg:
+ yield cfg
+
+
+@pytest.fixture
+def ipv4_san_server(tmp_path_factory):
tmpdir = tmp_path_factory.mktemp("certs")
ca = trustme.CA()
# IP address in Subject Alternative Name
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/test/contrib/test_pyopenssl.py
new/urllib3-1.26.7/test/contrib/test_pyopenssl.py
--- old/urllib3-1.26.6/test/contrib/test_pyopenssl.py 2021-06-25
15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/test/contrib/test_pyopenssl.py 2021-09-22
20:00:21.000000000 +0200
@@ -34,7 +34,7 @@
from ..test_util import TestUtilSSL # noqa: E402, F401
from ..with_dummyserver.test_https import ( # noqa: E402, F401
TestHTTPS,
- TestHTTPS_IPSAN,
+ TestHTTPS_IPV4SAN,
TestHTTPS_IPv6Addr,
TestHTTPS_IPV6SAN,
TestHTTPS_NoSAN,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/test/contrib/test_securetransport.py
new/urllib3-1.26.7/test/contrib/test_securetransport.py
--- old/urllib3-1.26.6/test/contrib/test_securetransport.py 2021-06-25
15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/test/contrib/test_securetransport.py 2021-09-22
20:00:21.000000000 +0200
@@ -1,4 +1,5 @@
# -*- coding: utf-8 -*-
+import base64
import contextlib
import socket
import ssl
@@ -52,3 +53,15 @@
ws = WrappedSocket(s)
with pytest.raises(ssl.SSLError):
ws._custom_validate(True, b"")
+
+
+def test_no_crash_with_invalid_trust_bundle():
+ invalid_cert = base64.b64encode(b"invalid-cert")
+ cert_bundle = (
+ b"-----BEGIN CERTIFICATE-----\n" + invalid_cert + b"\n-----END
CERTIFICATE-----"
+ )
+
+ with contextlib.closing(socket.socket()) as s:
+ ws = WrappedSocket(s)
+ with pytest.raises(ssl.SSLError):
+ ws._custom_validate(True, cert_bundle)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/test/test_connection.py
new/urllib3-1.26.7/test/test_connection.py
--- old/urllib3-1.26.6/test/test_connection.py 2021-06-25 15:20:25.000000000
+0200
+++ new/urllib3-1.26.7/test/test_connection.py 2021-09-22 20:00:21.000000000
+0200
@@ -43,6 +43,42 @@
)
assert e._peer_cert == cert
+ def test_match_hostname_ip_address_ipv6(self):
+ cert = {"subjectAltName": (("IP Address", "1:2::2:1"),)}
+ asserted_hostname = "1:2::2:2"
+ try:
+ with mock.patch("urllib3.connection.log.warning") as mock_log:
+ _match_hostname(cert, asserted_hostname)
+ except CertificateError as e:
+ assert "hostname '1:2::2:2' doesn't match '1:2::2:1'" in str(e)
+ mock_log.assert_called_once_with(
+ "Certificate did not match expected hostname: %s. Certificate:
%s",
+ "1:2::2:2",
+ {"subjectAltName": (("IP Address", "1:2::2:1"),)},
+ )
+ assert e._peer_cert == cert
+
+ def test_match_hostname_dns_with_brackets_doesnt_match(self):
+ cert = {
+ "subjectAltName": (
+ ("DNS", "localhost"),
+ ("IP Address", "localhost"),
+ )
+ }
+ asserted_hostname = "[localhost]"
+ with pytest.raises(CertificateError) as e:
+ _match_hostname(cert, asserted_hostname)
+ assert (
+ "hostname '[localhost]' doesn't match either of 'localhost',
'localhost'"
+ in str(e.value)
+ )
+
+ def test_match_hostname_ip_address_ipv6_brackets(self):
+ cert = {"subjectAltName": (("IP Address", "1:2::2:1"),)}
+ asserted_hostname = "[1:2::2:1]"
+ # Assert no error is raised
+ _match_hostname(cert, asserted_hostname)
+
def test_recent_date(self):
# This test is to make sure that the RECENT_DATE value
# doesn't get too far behind what the current date is.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/urllib3-1.26.6/test/with_dummyserver/test_https.py
new/urllib3-1.26.7/test/with_dummyserver/test_https.py
--- old/urllib3-1.26.6/test/with_dummyserver/test_https.py 2021-06-25
15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/test/with_dummyserver/test_https.py 2021-09-22
20:00:21.000000000 +0200
@@ -859,29 +859,25 @@
assert warn.called
-class TestHTTPS_IPSAN:
- def test_can_validate_ip_san(self, ip_san_server):
+class TestHTTPS_IPV4SAN:
+ def test_can_validate_ip_san(self, ipv4_san_server):
"""Ensure that urllib3 can validate SANs with IP addresses in them."""
- try:
- import ipaddress # noqa: F401
- except ImportError:
- pytest.skip("Only runs on systems with an ipaddress module")
-
with HTTPSConnectionPool(
- ip_san_server.host,
- ip_san_server.port,
+ ipv4_san_server.host,
+ ipv4_san_server.port,
cert_reqs="CERT_REQUIRED",
- ca_certs=ip_san_server.ca_certs,
+ ca_certs=ipv4_san_server.ca_certs,
) as https_pool:
r = https_pool.request("GET", "/")
assert r.status == 200
class TestHTTPS_IPv6Addr:
- def test_strip_square_brackets_before_validating(self, ipv6_addr_server):
+ @pytest.mark.parametrize("host", ["::1", "[::1]"])
+ def test_strip_square_brackets_before_validating(self, ipv6_addr_server,
host):
"""Test that the fix for #760 works."""
with HTTPSConnectionPool(
- "[::1]",
+ host,
ipv6_addr_server.port,
cert_reqs="CERT_REQUIRED",
ca_certs=ipv6_addr_server.ca_certs,
@@ -891,15 +887,11 @@
class TestHTTPS_IPV6SAN:
- def test_can_validate_ipv6_san(self, ipv6_san_server):
+ @pytest.mark.parametrize("host", ["::1", "[::1]"])
+ def test_can_validate_ipv6_san(self, ipv6_san_server, host):
"""Ensure that urllib3 can validate SANs with IPv6 addresses in
them."""
- try:
- import ipaddress # noqa: F401
- except ImportError:
- pytest.skip("Only runs on systems with an ipaddress module")
-
with HTTPSConnectionPool(
- "[::1]",
+ host,
ipv6_san_server.port,
cert_reqs="CERT_REQUIRED",
ca_certs=ipv6_san_server.ca_certs,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/urllib3-1.26.6/test/with_dummyserver/test_proxy_poolmanager.py
new/urllib3-1.26.7/test/with_dummyserver/test_proxy_poolmanager.py
--- old/urllib3-1.26.6/test/with_dummyserver/test_proxy_poolmanager.py
2021-06-25 15:20:25.000000000 +0200
+++ new/urllib3-1.26.7/test/with_dummyserver/test_proxy_poolmanager.py
2021-09-22 20:00:21.000000000 +0200
@@ -3,6 +3,7 @@
import shutil
import socket
import tempfile
+import warnings
from test import (
LONG_TIMEOUT,
SHORT_TIMEOUT,
@@ -21,11 +22,13 @@
from urllib3.connectionpool import VerifiedHTTPSConnection, connection_from_url
from urllib3.exceptions import (
ConnectTimeoutError,
+ InsecureRequestWarning,
MaxRetryError,
ProxyError,
ProxySchemeUnknown,
ProxySchemeUnsupported,
SSLError,
+ SubjectAltNameWarning,
)
from urllib3.poolmanager import ProxyManager, proxy_from_url
from urllib3.util.ssl_ import create_urllib3_context
@@ -213,6 +216,24 @@
assert isinstance(e.value.reason, SSLError)
assert "doesn't match" in str(e.value.reason)
+ @onlyPy3
+ def test_proxy_verified_warning(self):
+ """Skip proxy verification to validate warnings are generated"""
+ with warnings.catch_warnings(record=True) as w:
+ with proxy_from_url(self.https_proxy_url, cert_reqs="NONE") as
https:
+ r = https.request("GET", "%s/" % self.https_url)
+ assert r.status == 200
+ assert len(w) == 2 # We expect two warnings (proxy, destination)
+ assert w[0].category == InsecureRequestWarning
+ assert w[1].category == InsecureRequestWarning
+ messages = set(str(x.message) for x in w)
+ expected = [
+ "Unverified HTTPS request is being made to host 'localhost'",
+ "Unverified HTTPS connection done to an HTTPS proxy.",
+ ]
+ for warn_message in expected:
+ assert [msg for msg in messages if warn_message in expected]
+
def test_redirect(self):
with proxy_from_url(self.proxy_url) as http:
r = http.request(
@@ -565,3 +586,35 @@
assert "hostname 'localhost' doesn't match" in str(
e.value.reason
) or "Hostname mismatch" in str(e.value.reason)
+
+ @onlyPy3
+ def test_https_proxy_ipv4_san(self, ipv4_san_proxy):
+ proxy, server = ipv4_san_proxy
+ proxy_url = "https://%s:%s"; % (proxy.host, proxy.port)
+ destination_url = "https://%s:%s"; % (server.host, server.port)
+ with proxy_from_url(proxy_url, ca_certs=proxy.ca_certs) as https:
+ r = https.request("GET", destination_url)
+ assert r.status == 200
+
+ @onlyPy3
+ def test_https_proxy_ipv6_san(self, ipv6_san_proxy):
+ proxy, server = ipv6_san_proxy
+ proxy_url = "https://[%s]:%s"; % (proxy.host, proxy.port)
+ destination_url = "https://%s:%s"; % (server.host, server.port)
+ with proxy_from_url(proxy_url, ca_certs=proxy.ca_certs) as https:
+ r = https.request("GET", destination_url)
+ assert r.status == 200
+
+ @onlyPy3
+ def test_https_proxy_common_name_warning(self, no_san_proxy):
+ proxy, server = no_san_proxy
+ proxy_url = "https://%s:%s"; % (proxy.host, proxy.port)
+ destination_url = "https://%s:%s"; % (server.host, server.port)
+
+ with warnings.catch_warnings(record=True) as w:
+ with proxy_from_url(proxy_url, ca_certs=proxy.ca_certs) as https:
+ r = https.request("GET", destination_url)
+ assert r.status == 200
+
+ assert len(w) == 1
+ assert w[0].category == SubjectAltNameWarning
