Comments (4)
nateprewitt
commented on July 21, 2024
Thanks for the report, @jeffreytolar. It does looks like we're not checking the certs provided by the Session before opting into the default context, I've put together fe251aa to disable the default context when certs are present.
However, with testing I'm seeing an exception with the cert being self-signed that wasn't present in 2.31.0. I'm looking into that further but would you mind checking the above patch against your current setup so we can decouple the two issues. If your issue is persisting after we've moved the default context out of the hot path, there may be something else at play with the recent CVE fix.
from requests.
jeffreytolar
commented on July 21, 2024
So far it's looking like that patch is working in our main setup - thanks for the quick commit!
For the self-signed issue still in the reproducer, I think it's that 2.32.x isn't passing a CA bundle to urllib3, whereas 2.31 did that here:
Lines 257 to 258 in 147c851
certifi
To restore the v2.31 behavior, I think maybe a elif verify is True: pool_kwargs["ca_certs (or ca_cert_dir)"] = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) might work in _urllib3_request_context ?
from requests.
sigmavirus24
commented on July 21, 2024
So far it's looking like that patch is working in our main setup - thanks for the quick commit!
For the self-signed issue still in the reproducer, I think it's that 2.32.x isn't passing a CA bundle to urllib3, whereas 2.31 did that here:
; that causes urllib3 to load the OS default, rather than usingLines 257 to 258 in 147c851
certifiTo restore the v2.31 behavior, I think maybe a
elif verify is True: pool_kwargs["ca_certs (or ca_cert_dir)"] = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)might work in_urllib3_request_context?
Yeah, I thought the optimization broke the zipped paths extraction but couldn't prove it easily
from requests.
nateprewitt
commented on July 21, 2024
Ok, so that's the same issue reported here (#6710 (comment)) this morning. That explains why calling load_default_certs on the SSLContext fixes it.
Let me take a closer look tomorrow, I'm a little worried if we do it only for verify is True that we'll start the whole custom SSLContext issue over again. Thanks for pointing that out, @jeffreytolar!
from requests.
Related Issues (20)
- Enhance Error Messaging for Connection Failures
- Different default values for "allow_redirects" for HEAD http method HOT 4
- ssl certificate validation of requests was ignored but the ssl certificate still reported an error HOT 1
- ssl certificate validation of requests was ignored but the ssl certificate still reported an error HOT 2
- Certificate loading regression with HTTPAdapters in 2.32.3
- Deprecated `HTTPAdapter.get_connection()` method is never called, causing breakage without deprecation warnings HOT 2
- requests 2.32.3 & urllib3 1.26.18 issue with unicode put HOT 4
- requests 2.32.3 with IPv6 link local address fails with error: [Errno -2] Name or service not known HOT 1
- 2.32.3 does not load system CA certificates when using an Adapter HOT 4
- GET请求,我希望传递% 但是requests会默认帮我编码为%25,如何解决? HOT 1
- requests.utils. atomic_open does not respect umask HOT 1
- Feature Request: `safe_json()` Method for Requests Library HOT 1
- auth headers lost when requests process redirected requests HOT 1
- inconsistent handling of verify and REQUESTS_CA_BUNDLE HOT 1
- requests library seems to ignore "Transfer-Encoding" header HOT 1
- ValueError: Timeout value connect was <object object at 0x7c6b5e484a80>, but it must be an int, float or None. HOT 1
- Requests v2.32.0 caused the error `Segmentation fault` when including the `cert` parameter HOT 2
- Check for codes HOT 1
- Unclear file handling in documentation examples HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from requests.