SSL verification issue with 1.25.4 (via requests) #1682
Comments
|
I'm unable to reproduce your issue with urllib3 1.25.4 and requests 2.22.0: >>> import requests
>>> s = requests.Session()
>>> s.verify = False
>>> s.get("https://expired.badssl.com", verify=False)
/tmp/venv/lib/python3.8/site-packages/urllib3/connectionpool.py:997: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn(
<Response [200]>Could you post a more complete reproducer along with Python version, etc? |
|
Your example doesn't work for me. I tried I'll give you more info about my environment, I'm using Python 3.6.8. I see that you are using Python 3.8, I'll try reproducing the bug in a docker container with Python 3.8. |
|
FWIW, we are also having this issue.... |
|
Same issue here. Can reproduce using
But will pass using
|
|
So does this issue only affect 3.6? I'll try on different Python versions. |
|
Python 3.5.7 works for me but Python 3.6.9 does not work but then Python 3.7.4 works again. |
|
Hmmm, was seeing this issue w/ 3.7.3 Python version: 3.7.3 (default, May 3 2019, 11:24:39) [GCC 8.3.0] |
|
I have the same problem in the exact same environment !! |
|
Found that
|
|
Yep, I'm seeing the same thing @dgilland. Looks like we have something to go on :) |
|
I tried using the debian-based Python image on DockerHub, I do not get the bug with I get with with |
|
So I have a script here: import requests
s = requests.Session()
s.verify = False
try:
s.request("GET", "https://expired.badssl.com")
except Exception as e:
print(e)
pools = s.adapters["https://"].poolmanager.pools
key = pools.keys()[0]
cp = pools[key]
conn = cp._get_conn()
try:
conn.connect()
except Exception as e:
print(e)
print(conn.ssl_context.verify_mode, conn.ssl_context.check_hostname)Which makes the request then goes down into the urllib3 poolmanager and inspects a single connection's SSLContext object. On both working and non-working versions I'm getting the expected values |
|
I discovered the issue, it's this line here within # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is
# necessary for conditional client cert authentication with TLS 1.3.
# The attribute is None for OpenSSL <= 1.1.0 or does not exist in older
# versions of Python.
if getattr(context, "post_handshake_auth", None) is not None:
context.post_handshake_auth = True@tiran Is this a bug that setting this value to |
|
It's a bug in old versions of Python that only occurs when Python's ssl module is compiled with OpenSSL 1.1.1. The problem is fixed in recent versions:
|
|
Perhaps we won't enable the flag unless we have certificate verification enabled. I can't think of a world where you want to use a client cert and disable server cert verification. |
|
Guess how I found the bug in Python's ssl module. It's exactly that world... |
|
Noooo :-( What heuristic should I use to not set that flag? If verify is set to CERT_NONE should I skip trying to set it all together? It's an optional behavior and the client cert is still sent, just a larger handshake? |
|
|
|
This is closed in v1.25.5. |
|
Thanks everyone for the quick resolution! |
abadger
added a commit
to abadger/ansible
that referenced
this issue
Sep 20, 2019
urllib3-1.25.4 breaks k8s due to this bug: urllib3/urllib3#1682
abadger
added a commit
to abadger/ansible
that referenced
this issue
Sep 20, 2019
urllib3-1.25.4 breaks k8s due to this bug: urllib3/urllib3#1682 (cherry picked from commit d3dfea9) Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
|
So as it seems for me it is not fixxed in 1.25.5 nor 1.25.6 for ubuntu systems. It works on Windows but not on Ubuntu. Both running Py 3.7.3 |
|
This still exists in python 3.7..6. |
|
Still exists in Python 3.8.5 (via gql that uses urllib3 1.25.8) |
|
@mkmozgawa You'll have to be more specific about your environment as I wasn't able to reproduce on Linux + Python 3.8.5 and OpenSSL 1.1.1d. Could you run this script and provide me the output: import ssl
import platform
import requests
import urllib3
print("OS", platform.system(), platform.version())
print("Python", platform.python_version())
print("OpenSSL", ssl.OPENSSL_VERSION)
print("Requests", requests.__version__)
print("Urllib3", urllib3.__version__)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
s = requests.Session()
s.verify = False
try:
s.request("GET", "https://expired.badssl.com")
except Exception as e:
print("Issue detected")
print(e)
else:
print("Issue not detected")
pools = s.adapters["https://"].poolmanager.pools
key = pools.keys()[0]
cp = pools[key]
conn = cp._get_conn()
print("SSLContext", conn.ssl_context.verify_mode, conn.ssl_context.check_hostname)For me this outputs: |
|
Hi @sethmlarson, thanks for your quick response. I ran your script and it seems that the output here is as expected: Seems like it's another issue on my side, then. Thank you for your help. |
|
This appeared again on Python 3.8.6 with OpenSSL 1.1.1g (el8): And on Python 3.9.5 with OpenSSL 1.1.1k (Fedora 34): |
|
@ahills Can't help but notice both of those OpenSSL versions you posted are FIPS, could that have something to do with it? Also it looks like |
|
@SethMichaelLarson I still see this issue on requests version 2.20.0, urllib3 version - 1.24.2, OpenSSL 1.1.1 FIPS and python3.6.8 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi! I'm using
requests2.22.0 andurllib31.25.4.In requests, I need to disable certificate verification because we use self signed certificates. I create a
Sessionobject and set itsverifyproperty toFalse, which used to worked perfectly fine untilurllib31.25.4.This is the stacktrace
I tried installing
urllib31.25.3 and there is no issue. It seems like the SSL error was introduced in 1.25.4.The text was updated successfully, but these errors were encountered: