New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terminate connection when custom verification fails (SecureTransport) #1977
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1977 +/- ##
===========================================
+ Coverage 99.95% 100.00% +0.04%
===========================================
Files 25 25
Lines 2294 2294
===========================================
+ Hits 2293 2294 +1
+ Misses 1 0 -1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! I'm sad that we so much micromanaging of SecureTransport sockets here but 🤷
Definitely need to check the TLS alert record getting sent in Wireshark somehow.
@hodbn I merged master into your branch to fix the conflicts caused by the isort pull request. |
Now asserting that the SSL server error references the alert: urllib3/test/with_dummyserver/test_socketlevel.py Line 1460 in d5d2a88
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks! I ran the new test multiple thousands of times and it does not seem to be flaky on my machine.
def _build_tls_unknown_ca_alert(version): | ||
""" | ||
Builds a TLS alert record for an unknown CA. | ||
""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there some useful documentation or even StackOverflow link for this?
@pquentin Thanks for reviewing and merging this!! 🥳 |
Closes #1976.
It was fixed by manually sending TLS alerts and then terminating the connection.
I've added a helper to send TLS alerts since I couldn't find any supported way of sending a TLS alert in SecureTransport.