-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move to TLS client protocol for http connections #191
base: master
Are you sure you want to change the base?
Conversation
Also I need to rebase but we can start the discussion. |
if cert_file: | ||
context.load_cert_chain(cert_file, key_file) | ||
if ca_certs: | ||
context.verify_mode = ssl.CERT_REQUIRED | ||
context.load_verify_locations(cafile=ca_certs) | ||
else: | ||
# Can't check hostnames if we're not requiring server certificates | ||
context.check_hostname = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PROTOCOL_TLS_CLIENT automatically makes check_hostname True (side note, that means PROTOCOL_SSLv23 and PROTOCOL_TLS don't?) but if we don't require certs, we obviously can't required hostname checking.
This would change the default behavior to start enforcing hostname verification when certificates are in use. Is that a concern? |
yeah it is. We have a number of tests that disable cert validation |
and those are exactly the tests that failed until I added the line about disabling hostname verification. |
Since TLS_PROTOCOL is itself deprecated, this is the suggested update. It does technically change the default behavior though:
https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS_CLIENT