-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support new TCPConnector param fingerprint
#366
Conversation
>>> conn = aiohttp.TCPConnector(ssl_context=sslcontext) | ||
>>> r = yield from aiohttp.request( | ||
... 'get', 'https://example.com', connector=conn) | ||
|
||
You may also verify certificates via fingerprint:: | ||
|
||
>>> fp = '...' # hex str of md5, sha1, or sha256 of expected cert (in DER) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please replace '...'
with example of arbitrary fingerprint. It may help to newcomers very well.
05f059c
to
4214961
Compare
@asvetlov Thanks, implemented all your suggestions. Please let me know if latest patch looks better. Just wasn't sure what you wanted here. Yes, the property returns a string (or None if not set). Happy to rename this (something like expected_fingerprint?) everywhere rather than verify_fingerprint if you prefer? |
e93fabc
to
df23fce
Compare
verify_fingerprint
expect_fingerprint
pushed a new version with |
df23fce
to
17008ed
Compare
:param bool resolve: Set to True to do DNS lookup for host name. | ||
:param family: socket address family | ||
:param args: see :class:`BaseConnector` | ||
:param kwargs: see :class:`BaseConnector` | ||
""" | ||
|
||
def __init__(self, *, verify_ssl=True, | ||
def __init__(self, *, verify_ssl=True, expect_fingerprint=None, | ||
resolve=False, family=socket.AF_INET, ssl_context=None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have a way to pass bytes
fingerprint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have a way to pass bytes fingerprint?
Something like 8661202?
ddfc5ef
to
8661202
Compare
ssl=sslcontext, family=hinfo['family'], | ||
proto=hinfo['proto'], flags=hinfo['flags'], | ||
server_hostname=hinfo['hostname'] if sslcontext else None)) | ||
server_hostname=hinfo['hostname'] if sslcontext else None) | ||
if req.ssl and self._expect_fingerprint: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for bad guess, req.ssl
may clash with ProxyConnector
.
Please use transport.get_extra_info('sslcontext')
instead as flag that transport.get_extra_info('socket')
has certificate info.
Sorry for long review, I'm striving to make code perfect. After looking on the last version I incline to accept We need also for Library users can find the helper function easy if you mention it in Clean separation to byte-ish fingerprint for usage in connector and helper for converting user-readable
Both We are in the middle on getting rid of sphinx autodoc generated documentation (docstrings in If you are too boring in writing documentation please left it to me -- I'll accept your PR after code and tests done but very appreciate your help in documentation also. |
8661202
to
7041757
Compare
expect_fingerprint
fingerprint
6a8e019
to
0e1219a
Compare
enables ssl certificate pinning
0e1219a
to
173ef3f
Compare
@asvetlov Happy to put the extra time in on my first contribution. I can always relate to striving to make the code perfect. Looks like Travis and Appveyor checks completed and are both green. Hope this latest revision does the trick. And thanks for all the careful review and great work on aiohttp. |
support new TCPConnector param `fingerprint`
Thank you very much! |
Thanks for merging! |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs. |
Fixes #350