Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default certificates are never loaded since version 1.25 #1603

Closed
daa opened this issue May 8, 2019 · 2 comments · Fixed by #1608
Closed

Default certificates are never loaded since version 1.25 #1603

daa opened this issue May 8, 2019 · 2 comments · Fixed by #1608
Assignees
@sethmlarson
Labels
TLS

Comments

@daa
Copy link

daa commented May 8, 2019

Opening an HTTPS URL with urllib3>=1.25 results in SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)'))), example to reproduce is following:

import urllib3

http = urllib3.PoolManager()
http.request('GET', 'https://google.com/')

The reason is that default system certificates are never loaded because HTTPSConnection or VerificedHTTPSConnection creates ssl context without loading certificates and passes it to ssl_wrap_socket where default certificates are not loaded too because passed ssl_context is not None. Related lines of code:
src/urllib3/connection.py:

        if self.ssl_context is None:
            self.ssl_context = create_urllib3_context(
                ssl_version=resolve_ssl_version(None),
                cert_reqs=resolve_cert_reqs(None),
            )

        self.sock = ssl_wrap_socket(
            sock=conn,
            keyfile=self.key_file,
            certfile=self.cert_file,
            key_password=self.key_password,
            ssl_context=self.ssl_context,
            server_hostname=self.server_hostname
)

src/urllib3/util/ssl_.py:

    elif ssl_context is None and hasattr(context, 'load_default_certs'):
        # try to load OS default certs; works well on Windows (require Python3.4+)
        context.load_default_certs()
@sethmlarson
Copy link
Member

Yep, this looks incorrect. Unfortunately I can't currently think of a good way to handle this and maintain all our interfaces+contracts without calling load_default_certs() inside of HTTPSConnection. cc: @urllib3/maintainers

@sethmlarson sethmlarson added the TLS label May 8, 2019
@sethmlarson
Copy link
Member

sethmlarson commented May 8, 2019
edited

Basically this boils down to create_urllib3_context() not knowing about ca_cert or ca_cert_dir and so it can't make the call whether to load the default system certs or not. The loading of certs is all done in ssl_wrap_socket(). (imo create_urllib3_context() should probably be the place to load certs)

@sethmlarson sethmlarson self-assigned this May 13, 2019
@sethmlarson sethmlarson mentioned this issue May 16, 2019
Merged
HappyEinara added a commit to HappyEinara/pytest-vts that referenced this issue May 23, 2019
@HappyEinara
Bump version and pin urllib3
745a4e1 
Urllib3 is failing above version 1.25 with a certificate issue. Pin it
for the time being.

See urllib3/urllib3#1603
@ozlevka-work ozlevka-work mentioned this issue May 23, 2019
Merged
HappyEinara added a commit to HappyEinara/pytest-vts that referenced this issue May 31, 2019
@HappyEinara
Bump version and pin urllib3
54ab377 
Urllib3 is failing above version 1.25 with a certificate issue. Pin it
for the time being.

See urllib3/urllib3#1603
bhodorog pushed a commit to bhodorog/pytest-vts that referenced this issue Jun 5, 2019
@HappyEinara
Preserve original httplib response. (#7)
445fba2 
* Setup a manual http server. Add unittest for multiple Set-Cookie header.

* Add cherrypy based test for set-cookie through redirects.

* Use source files for -dev tox environment.

* Preserve original httplib response.

Requests expects a low-level response object at
Response.raw._original_response for its cookie handling. This is currently lost
in the interface between VTS and responses. This PR stashes the response and
retrieves it later to permit the proper behaviour of cookies.

* Bump version and pin urllib3

Urllib3 is failing above version 1.25 with a certificate issue. Pin it
for the time being.

See urllib3/urllib3#1603

* Fix cookie-handling to cope with multiple cookies.

- Vendor in and patch responses to handle cookies sent in
comma-separated headers
- Update tests
@rparini rparini mentioned this issue Nov 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sethmlarson sethmlarson

Labels
TLS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Load system CA certificates by default on empty HTTPSConnection sethmlarson/urllib3
2 participants
@daa @sethmlarson