fix use of proxies #1070

aio-libs · Jan 19, 2024 · e13988e · e13988e
1 parent c772f4b
commit e13988e
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 43 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,10 @@
 Changes
 -------
 
+2.11.1 (2024-01-20)
+^^^^^^^^^^^^^^^^^^^
+* fix use of proxies #1070
+
 2.11.0 (2024-01-19)
 ^^^^^^^^^^^^^^^^^^^
 * send project-specific `User-Agent` HTTP header #853

diff --git a/aiobotocore/__init__.py b/aiobotocore/__init__.py
@@ -1 +1 @@
-__version__ = '2.11.0'
+__version__ = '2.11.1'
diff --git a/aiobotocore/httpsession.py b/aiobotocore/httpsession.py
@@ -27,16 +27,15 @@
     ProxyConnectionError,
     ReadTimeoutError,
     SSLError,
-    _is_ipaddress,
     create_urllib3_context,
     ensure_boolean,
     get_cert_path,
     logger,
     mask_proxy_url,
-    parse_url,
     urlparse,
 )
 from multidict import CIMultiDict
+from urllib3.exceptions import SSLError as URLLib3SSLError
 
 import aiobotocore.awsrequest
 from aiobotocore._endpoint_helpers import _IOBaseWrapper, _text
@@ -93,25 +92,42 @@ def __init__(
         # it also pools by host so we don't need a manager, and can pass proxy via
         # request so don't need proxy manager
 
-        ssl_context = None
+        context = None
         if bool(verify):
+            context = self._get_ssl_context()
+            if self._cert_file:
+                context.load_cert_chain(self._cert_file, self._key_file)
+
+            # inline self._setup_ssl_cert
+            ca_certs = get_cert_path(verify)
+            if ca_certs:
+                context.load_verify_locations(ca_certs, None, None)
+
             if proxies:
                 proxies_settings = self._proxy_config.settings
-                ssl_context = self._setup_proxy_ssl_context(proxies_settings)
+                proxy_ca_bundle = proxies_settings.get('proxy_ca_bundle')
+                proxy_cert = proxies_settings.get('proxy_client_cert')
+
+                try:
+                    if proxy_ca_bundle is not None:
+                        context.load_verify_locations(cafile=proxy_ca_bundle)
+
+                    if isinstance(proxy_cert, tuple):
+                        context.load_cert_chain(
+                            proxy_cert[0], keyfile=proxy_cert[1]
+                        )
+                    elif isinstance(proxy_cert, str):
+                        context.load_cert_chain(proxy_cert)
+                except (OSError, URLLib3SSLError, LocationParseError) as e:
+                    raise InvalidProxiesConfigError(error=e)
+
                 # TODO: add support for
                 #    proxies_settings.get('proxy_use_forwarding_for_https')
-            else:
-                ssl_context = self._get_ssl_context()
-
-                # inline self._setup_ssl_cert
-                ca_certs = get_cert_path(verify)
-                if ca_certs:
-                    ssl_context.load_verify_locations(ca_certs, None, None)
 
         self._create_connector = lambda: aiohttp.TCPConnector(
             limit=max_pool_connections,
             verify_ssl=bool(verify),
-            ssl=ssl_context,
+            ssl=context,
             **self._connector_args
         )
         self._connector = None
@@ -136,36 +152,7 @@ async def __aexit__(self, exc_type, exc_val, exc_tb):
             self._connector = None
 
     def _get_ssl_context(self):
-        ssl_context = create_urllib3_context()
-        if self._cert_file:
-            ssl_context.load_cert_chain(self._cert_file, self._key_file)
-        return ssl_context
-
-    def _setup_proxy_ssl_context(self, proxy_url):
-        proxies_settings = self._proxy_config.settings
-        proxy_ca_bundle = proxies_settings.get('proxy_ca_bundle')
-        proxy_cert = proxies_settings.get('proxy_client_cert')
-        if proxy_ca_bundle is None and proxy_cert is None:
-            return None
-
-        context = self._get_ssl_context()
-        try:
-            url = parse_url(proxy_url)
-            # urllib3 disables this by default but we need it for proper
-            # proxy tls negotiation when proxy_url is not an IP Address
-            if not _is_ipaddress(url.host):
-                context.check_hostname = True
-            if proxy_ca_bundle is not None:
-                context.load_verify_locations(cafile=proxy_ca_bundle)
-
-            if isinstance(proxy_cert, tuple):
-                context.load_cert_chain(proxy_cert[0], keyfile=proxy_cert[1])
-            elif isinstance(proxy_cert, str):
-                context.load_cert_chain(proxy_cert)
-
-            return context
-        except (OSError, LocationParseError) as e:
-            raise InvalidProxiesConfigError(error=e)
+        return create_urllib3_context()
 
     async def close(self):
         await self.__aexit__(None, None, None)