Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connection warnings #1341

Merged
merged 7 commits into from
Oct 27, 2016
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ CHANGES

-

-
- Add deprecation warning for MD5 and SHA1 digests when used for fingerprint
of site certs in TCPConnector. #1186

1.0.5 (2016-10-11)
------------------
Expand Down
1 change: 1 addition & 0 deletions CONTRIBUTORS.txt
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ Igor Pavlov
Ingmar Steen
Jacob Champion
Jaesung Lee
Jake Davis
Jakub Wilk
Jashandeep Sohi
Jeroen van der Heijden
Expand Down
5 changes: 5 additions & 0 deletions aiohttp/connector.py
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,11 @@ def __init__(self, *, verify_ssl=True, fingerprint=None,
hashfunc = HASHFUNC_BY_DIGESTLEN.get(digestlen)
if not hashfunc:
raise ValueError('fingerprint has invalid length')
elif hashfunc is md5 or hashfunc is sha1:
warnings.simplefilter('always')
warnings.warn('md5 and sha1 are insecure and deprecated. '
'Use sha256.',
DeprecationWarning, stacklevel=2)
self._hashfunc = hashfunc
self._fingerprint = fingerprint

Expand Down
9 changes: 5 additions & 4 deletions docs/client_reference.rst
Original file line number Diff line number Diff line change
Expand Up @@ -886,12 +886,13 @@ TCPConnector
*HTTPS* requests (enabled by default). May be disabled to
skip validation for sites with invalid certificates.

:param bytes fingerprint: Pass the binary MD5, SHA1, or SHA256
digest of the expected certificate in DER format to verify
that the certificate the server presents matches. Useful
for `certificate pinning
:param bytes fingerprint: Pass the SHA256 digest of the expected
certificate in DER format to verify that the certificate the
server presents matches. Useful for `certificate pinning
<https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning>`_.

Note: use of MD5 or SHA1 digests is insecure and deprecated.

.. versionadded:: 0.16

:param bool use_dns_cache: use internal cache for DNS lookups, ``True``
Expand Down
11 changes: 9 additions & 2 deletions tests/test_client_functional.py
Original file line number Diff line number Diff line change
Expand Up @@ -266,8 +266,15 @@ def test_tcp_connector_fingerprint_ok(test_server, test_client,
def handler(request):
return web.HTTPOk(text='Test message')

connector = aiohttp.TCPConnector(loop=loop, verify_ssl=False,
fingerprint=fingerprint)
# Test for deprecation warning on md5 and sha1 len digests.
if len(fingerprint) == 16 or len(fingerprint) == 20:
with pytest.warns(DeprecationWarning) as cm:
connector = aiohttp.TCPConnector(loop=loop, verify_ssl=False,
fingerprint=fingerprint)
assert 'Use sha256.' in str(cm[0].message)
else:
connector = aiohttp.TCPConnector(loop=loop, verify_ssl=False,
fingerprint=fingerprint)
app = web.Application(loop=loop)
app.router.add_route('GET', '/', handler)
server = yield from test_server(app, ssl=ssl_ctx)
Expand Down