Terminate connection when custom verification fails (SecureTransport)

[hodbn]

Closes #1976.
It was fixed by manually sending TLS alerts and then terminating the connection.

I've added a helper to send TLS alerts since I couldn't find any supported way of sending a TLS alert in SecureTransport.

[codecov]

Codecov Report

Merging #1977 into master will increase coverage by 0.04%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           master     #1977      +/-   ##
===========================================
+ Coverage   99.95%   100.00%   +0.04%     
===========================================
  Files          25        25              
  Lines        2294      2294              
===========================================
+ Hits         2293      2294       +1     
+ Misses          1         0       -1     

Impacted Files	Coverage Δ
src/urllib3/contrib/_appengine_environ.py	100.00% <0.00%> (+10.00%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3308d65...8f9b974. Read the comment docs.

[sethmlarson]

Thanks for this! I'm sad that we so much micromanaging of SecureTransport sockets here but 🤷

Definitely need to check the TLS alert record getting sent in Wireshark somehow.

[pquentin]

@hodbn I merged master into your branch to fix the conflicts caused by the isort pull request.

[hodbn]

Definitely need to check the TLS alert record getting sent in Wireshark somehow.

Now asserting that the SSL server error references the alert:

urllib3/test/with_dummyserver/test_socketlevel.py

Line 1460 in d5d2a88

assert "alert unknown ca" in str(e)

Done

[pquentin]

Looks good, thanks! I ran the new test multiple thousands of times and it does not seem to be flaky on my machine.

[pquentin]

Is there some useful documentation or even StackOverflow link for this?

[sethmlarson]

@pquentin Thanks for reviewing and merging this!! 🥳