Skip to content

Commit

Permalink
Connection warnings (#1341)
Browse files Browse the repository at this point in the history
* Add warning.warn on MD5 and SHA1 hashes

* Add SHA256 only suggestion to docs

* PyFlakes fix

* changelog

* Added name to list

* Reorder fingerprint param info

* Add tests for deprecation warning
  • Loading branch information
jake-jake-jake authored and asvetlov committed Oct 27, 2016
1 parent 3e6cbd4 commit a610cf1
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 7 deletions.
3 changes: 2 additions & 1 deletion CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ CHANGES

- Document deployment without `Gunicorn` #1120

-
- Add deprecation warning for MD5 and SHA1 digests when used for fingerprint
of site certs in TCPConnector. #1186

1.0.5 (2016-10-11)
------------------
Expand Down
1 change: 1 addition & 0 deletions CONTRIBUTORS.txt
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ Igor Pavlov
Ingmar Steen
Jacob Champion
Jaesung Lee
Jake Davis
Jakub Wilk
Jashandeep Sohi
Jeroen van der Heijden
Expand Down
5 changes: 5 additions & 0 deletions aiohttp/connector.py
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,11 @@ def __init__(self, *, verify_ssl=True, fingerprint=None,
hashfunc = HASHFUNC_BY_DIGESTLEN.get(digestlen)
if not hashfunc:
raise ValueError('fingerprint has invalid length')
elif hashfunc is md5 or hashfunc is sha1:
warnings.simplefilter('always')
warnings.warn('md5 and sha1 are insecure and deprecated. '
'Use sha256.',
DeprecationWarning, stacklevel=2)
self._hashfunc = hashfunc
self._fingerprint = fingerprint

Expand Down
9 changes: 5 additions & 4 deletions docs/client_reference.rst
Original file line number Diff line number Diff line change
Expand Up @@ -886,12 +886,13 @@ TCPConnector
*HTTPS* requests (enabled by default). May be disabled to
skip validation for sites with invalid certificates.

:param bytes fingerprint: Pass the binary MD5, SHA1, or SHA256
digest of the expected certificate in DER format to verify
that the certificate the server presents matches. Useful
for `certificate pinning
:param bytes fingerprint: Pass the SHA256 digest of the expected
certificate in DER format to verify that the certificate the
server presents matches. Useful for `certificate pinning
<https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning>`_.

Note: use of MD5 or SHA1 digests is insecure and deprecated.

.. versionadded:: 0.16

:param bool use_dns_cache: use internal cache for DNS lookups, ``True``
Expand Down
11 changes: 9 additions & 2 deletions tests/test_client_functional.py
Original file line number Diff line number Diff line change
Expand Up @@ -266,8 +266,15 @@ def test_tcp_connector_fingerprint_ok(test_server, test_client,
def handler(request):
return web.HTTPOk(text='Test message')

connector = aiohttp.TCPConnector(loop=loop, verify_ssl=False,
fingerprint=fingerprint)
# Test for deprecation warning on md5 and sha1 len digests.
if len(fingerprint) == 16 or len(fingerprint) == 20:
with pytest.warns(DeprecationWarning) as cm:
connector = aiohttp.TCPConnector(loop=loop, verify_ssl=False,
fingerprint=fingerprint)
assert 'Use sha256.' in str(cm[0].message)
else:
connector = aiohttp.TCPConnector(loop=loop, verify_ssl=False,
fingerprint=fingerprint)
app = web.Application(loop=loop)
app.router.add_route('GET', '/', handler)
server = yield from test_server(app, ssl=ssl_ctx)
Expand Down

0 comments on commit a610cf1

Please sign in to comment.