Support a servername parameter on HTTPSConnections #1397
Conversation
urllib3/connection.py
Outdated
| @@ -242,14 +242,15 @@ class HTTPSConnection(HTTPConnection): | |||
|
|
|||
| def __init__(self, host, port=None, key_file=None, cert_file=None, | |||
| strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, | |||
| ssl_context=None, **kw): | |||
| ssl_context=None, servername=None, **kw): | |||
There was a problem hiding this comment.
Can we use the same argument name as ssl_wrap_socket?
There was a problem hiding this comment.
Yep, can do. Changed it to server_hostname everywhere.
JackOfMostTrades
force-pushed
the
enable-servername-parameter
branch
from
f365329
to
8a4faeb
Compare
Codecov Report
@@ Coverage Diff @@
## master #1397 +/- ##
======================================
Coverage 100% 100%
======================================
Files 21 21
Lines 1788 1794 +6
======================================
+ Hits 1788 1794 +6
Continue to review full report at Codecov.
|
|
Also we'll need to make sure coverage stays at 100%. |
JackOfMostTrades
force-pushed
the
enable-servername-parameter
branch
from
8a4faeb
to
dd1809c
Compare
|
Sure thing; I've updated the PR with a changelog update and added a test which asserts that server_hostname gets passed through to the wrapped socket and gets the code coverage back up to 100%. |
|
And by the way, the docs in this project for helping a new developer get tests running are fantastic. That's always been such a struggle with other projects and it was incredibly easy this time around. I appreciate the time spent writing that and keeping it up to date! :) |
That's great to hear! |
JackOfMostTrades
force-pushed
the
enable-servername-parameter
branch
from
dd1809c
to
f3ff97b
Compare
|
Thanks for submitting this patch. Can you help me understand the use-case for this parameter? I'm unsure of a situation where you'd want to override the hostname sent via SNI compared to the one you're connecting to. |
Sure. This doesn't really apply on the public internet, but it's something I've run into quite a bit in internal infrastructure. The most common case where I've run into this where you're connecting by IP instead of hostname (but you still want a particular virtual host served back). There's a few reasons you might be connecting by IP:
|
|
Thanks for explaining it! Sounds good to me. 👍 |
|
Looks like a merge conflict that needs resolving for |
|
urllib3/connection.py moved to src/urllib3/connection.py, so that should not be too hard to fix. :) The good news is that there is a small chance that a rebase will also fix the test_client_no_intermediate error on Windows. |
…e name used for SNI/hostname verification.
JackOfMostTrades
force-pushed
the
enable-servername-parameter
branch
from
f3ff97b
to
1957cf7
Compare
|
Rebased. The windows test cleared up, although now a random macOS run of test_client_no_intermediate failed. |
|
Uh oh, @pquentin? |
|
@SethMichaelLarson Yes, this confirms that the serial number length issue is only a macOS 10.13+ issue or at least was not the only problem to fix. That at least makes sense, but unfortunately that also means that the macOS 10.12 flakiness on CI is not solved yet. At least now on every failing build we can see 1/ the actual exception 2/ where it got thrown. |
|
(However, the problem is unrelated to this pull request.) |
|
Merged! Thanks @JackOfMostTrades! 🎉 |
|
Yay! Thanks for everyone's time getting this cleaned up and merged in. I appreciate it! |
…e name used for SNI/hostname verification. (urllib3#1397)
This add the missing support to set the `server_hostname` setting when creating TCP connection, when the underlying connection is authenticated using TLS. See the documentation for the 2 stdlib functions: * https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.create_connection * https://docs.python.org/3/library/asyncio-eventloop.html#opening-network-connections The implemention is similar to what was done in urllib3 in urllib3/urllib3#1397 This would be needed to support features in clients using aiohttp, such as tomplus/kubernetes_asyncio#267 Closes: aio-libs#7114
This add the missing support to set the `server_hostname` setting when creating TCP connection, when the underlying connection is authenticated using TLS. See the documentation for the 2 stdlib functions: * https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.create_connection * https://docs.python.org/3/library/asyncio-eventloop.html#opening-network-connections The implemention is similar to what was done in urllib3 in urllib3/urllib3#1397 This would be needed to support features in clients using aiohttp, such as tomplus/kubernetes_asyncio#267 Closes: aio-libs#7114
This add the missing support to set the `server_hostname` setting when creating TCP connection, when the underlying connection is authenticated using TLS. See the documentation for the 2 stdlib functions: * https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.create_connection * https://docs.python.org/3/library/asyncio-eventloop.html#opening-network-connections The implemention is similar to what was done in urllib3 in urllib3/urllib3#1397 This would be needed to support features in clients using aiohttp, such as tomplus/kubernetes_asyncio#267 Closes: aio-libs#7114
…7541) ## What do these changes do? This adds the missing support to set the `server_hostname` setting when creating TCP connection, when the underlying connection is authenticated using TLS. See the documentation for the 2 stdlib functions: * https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.create_connection * https://docs.python.org/3/library/asyncio-eventloop.html#opening-network-connections This would be needed to support features in clients using aiohttp, such as tomplus/kubernetes_asyncio#267 ## Are there changes in behavior for the user? The default behavior should not change, but this would allow on a per-connection basis to specify a custom server name to check the certificate name against. ## Related issue number Closes: #7114 (for reference, similar implementation in urllib3: urllib3/urllib3#1397) ## Checklist - [x] I think the code is well written - [x] Unit tests for the changes exist - [x] Documentation reflects the changes - [x] If you provide code modification, please add yourself to `CONTRIBUTORS.txt` * The format is <Name> <Surname>. * Please keep alphabetical order, the file is sorted by names. - [x] Add a new news fragment into the `CHANGES` folder * name it `<issue_id>.<type>` for example (588.bugfix) * if you don't have an `issue_id` change it to the pr id after creating the pr * ensure type is one of the following: * `.feature`: Signifying a new feature. * `.bugfix`: Signifying a bug fix. * `.doc`: Signifying a documentation improvement. * `.removal`: Signifying a deprecation or removal of public API. * `.misc`: A ticket has been closed, but it is not of interest to users. * Make sure to use full sentences with correct case and punctuation, for example: "Fix issue with non-ascii contents in doctest text files." --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Sam Bull <aa6bs0@sambull.org>
…io-libs#7541) This adds the missing support to set the `server_hostname` setting when creating TCP connection, when the underlying connection is authenticated using TLS. See the documentation for the 2 stdlib functions: * https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.create_connection * https://docs.python.org/3/library/asyncio-eventloop.html#opening-network-connections This would be needed to support features in clients using aiohttp, such as tomplus/kubernetes_asyncio#267 The default behavior should not change, but this would allow on a per-connection basis to specify a custom server name to check the certificate name against. Closes: aio-libs#7114 (for reference, similar implementation in urllib3: urllib3/urllib3#1397) - [x] I think the code is well written - [x] Unit tests for the changes exist - [x] Documentation reflects the changes - [x] If you provide code modification, please add yourself to `CONTRIBUTORS.txt` * The format is <Name> <Surname>. * Please keep alphabetical order, the file is sorted by names. - [x] Add a new news fragment into the `CHANGES` folder * name it `<issue_id>.<type>` for example (588.bugfix) * if you don't have an `issue_id` change it to the pr id after creating the pr * ensure type is one of the following: * `.feature`: Signifying a new feature. * `.bugfix`: Signifying a bug fix. * `.doc`: Signifying a documentation improvement. * `.removal`: Signifying a deprecation or removal of public API. * `.misc`: A ticket has been closed, but it is not of interest to users. * Make sure to use full sentences with correct case and punctuation, for example: "Fix issue with non-ascii contents in doctest text files." --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Sam Bull <aa6bs0@sambull.org> (cherry picked from commit ac29dea)
The servername parameter allows callers to override the hostname used for SNI. If specified this hostname will also be used as the value for hostname verification instead of the actual hostname (unless assert_hostname is set).
This is the same option and semantics that node.js provides via the "servername" attribute, or that golang provides via the "ServerName" option.