Proxies should use proxy_ssl_context when connecting via ProxyConfig.use_forwarding_with_https = True #2577

sethmlarson · 2022-03-05T02:17:18Z

This was discovered in #2558 and discussed with @jalopezsilva on Discord. The gist is it appears that we're using HTTPSConnection.ssl_context to connect to HTTPS proxies when using use_forwarding_with_https = True mode. This is likely caused by us treating the proxy like it's the origin when we have proxies in "forwarding" mode and previously we didn't have a forwarding mode for HTTPS.

Minimum requirements

💵 You can get paid to complete this issue! Please read the docs for more information.

When ProxyConfig.use_forwarding_with_https = True and ssl_context is specified:
- If proxy_ssl_context is specified then error out with ValueError
- If proxy_ssl_context isn't specified:
  - On 1.26.x emit a DeprecationWarning instructing to switch to proxy_ssl_context and set the value of ssl_context to proxy_ssl_context
  - On 2.x raise a ValueError that proxy_ssl_context should be used, not ssl_context.
Only proxy_ssl_context should be used for creating the connection to proxies in all modes (HTTP->HTTPS, HTTPS->HTTP, HTTPS->HTTPS, in forwarding/tunnel modes).
Remove the skip to test_proxy_https_target_tls_error added in 9f4d05c

The text was updated successfully, but these errors were encountered:

Use proxy_ssl_context when fowarding to both a HTTPS destination (which occurs when use_forwarding_for_https=True) and to a HTTP destination. Raise an exception if both a proxy_ssl_context and a ssl_context are provided when use_forwarding_for_https=True. Add tests to verify these cases and modify test_proxy_https_target_tls_error in test_proxy_poolmanager to account for this new behavior. Fixes urllib3#2577

Use proxy_ssl_context when fowarding to both a HTTPS destination (which occurs when use_forwarding_for_https=True) and to a HTTP destination. Raise a warning if both a proxy_ssl_context and a ssl_context are provided when use_forwarding_for_https=True. Add tests to verify these cases and modify test_proxy_https_target_tls_error in test_proxy_poolmanager to account for this new behavior. Addresses urllib3#2577

Raise an exception if both a proxy_ssl_context and a ssl_context are provided when use_forwarding_for_https=True, instead of only raising a warning. Modify tests to account for change. Resolves urllib3#2577

fyunusa · 2022-08-13T10:54:01Z

Hi @sethmlarson have this issue been fixed ?
I propose this patch for the 2.x version

if use_forwarding_for_https == True and proxy_ssl_context != None:
            if isinstance(proxy_ssl_context, ssl.SSLContext) != True:
                self.proxy_config = ProxyConfig(proxy_ssl_context, use_forwarding_for_https)

            elif proxy_ssl_context == ssl.SSLContext:
                raise ValueError(
                    "proxy ssl context should be used, not ssl context"
                )

pquentin · 2022-08-19T18:54:09Z

You will need a pull request with tests before we can review your code.

fyunusa · 2022-08-19T22:44:18Z

OK @pquentin noted I'll work on that also

sethmlarson · 2022-08-19T23:31:17Z

@umarfarouk98 this issue is already being worked on by @avi364 I think in #2651?

fyunusa · 2022-08-19T23:52:01Z

OK yeah, I see that

sg3-141-592 · 2024-01-15T08:53:25Z

Hey @abebeos , I only ever got as far as adding the ValueError exception and a unit test for it. I'm not going to be finishing this change so feel free to reuse anything that's useful off my draft PR.

sethmlarson added the TLS label Mar 5, 2022

sethmlarson assigned jalopezsilva Mar 5, 2022

sethmlarson added a commit to sethmlarson/urllib3 that referenced this issue Mar 5, 2022

Skip expected failure due to urllib3#2577

36e81bb

sethmlarson added the Paid: $300 💵 label Jun 1, 2022

sethmlarson added 💰 Bounty $500 If you complete this issue we'll pay you $500 on OpenCollective! and removed Paid: $500 💵 labels Jun 21, 2022

avi364 linked a pull request Jun 22, 2022 that will close this issue

Use proxy_ssl_context as SSL ctx when forwarding #2651

Open

sg3-141-592 mentioned this issue Jun 17, 2023

Adding checks for proxy_ssl_context definition #3071

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proxies should use proxy_ssl_context when connecting via ProxyConfig.use_forwarding_with_https = True #2577

Proxies should use proxy_ssl_context when connecting via ProxyConfig.use_forwarding_with_https = True #2577

sethmlarson commented Mar 5, 2022 •

edited

fyunusa commented Aug 13, 2022 •

edited

pquentin commented Aug 19, 2022

fyunusa commented Aug 19, 2022

sethmlarson commented Aug 19, 2022 •

edited

fyunusa commented Aug 19, 2022

sg3-141-592 commented Jan 15, 2024

Proxies should use proxy_ssl_context when connecting via ProxyConfig.use_forwarding_with_https = True #2577

Proxies should use proxy_ssl_context when connecting via ProxyConfig.use_forwarding_with_https = True #2577

Comments

sethmlarson commented Mar 5, 2022 • edited

Minimum requirements

fyunusa commented Aug 13, 2022 • edited

pquentin commented Aug 19, 2022

fyunusa commented Aug 19, 2022

sethmlarson commented Aug 19, 2022 • edited

fyunusa commented Aug 19, 2022

sg3-141-592 commented Jan 15, 2024

sethmlarson commented Mar 5, 2022 •

edited

fyunusa commented Aug 13, 2022 •

edited

sethmlarson commented Aug 19, 2022 •

edited