-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for TLS in TLS for HTTPS proxies. #1806
Conversation
Now that #1679 is merged, I'd love to move this forward. So... this appears to make sense, and is surprisingly compact, but I would love to get sample code or even an integration with urllib3 to be able to play with it. |
1f14923
to
e1f7a8c
Compare
Codecov Report
@@ Coverage Diff @@
## master #1806 +/- ##
===========================================
- Coverage 100.00% 99.03% -0.97%
===========================================
Files 23 23
Lines 2055 2171 +116
===========================================
+ Hits 2055 2150 +95
- Misses 0 21 +21
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
2436dd4
to
0185939
Compare
Alright @pquentin, I've updated the PR with an initial integration. A couple of things to keep in mind:
There are a couple of things I want to do before merging this but I wanted to send it early to get some feedback. Items I still have to address:
Play with it and let me know if you have any feedback! |
@jalopezsilva Thanks! Those assumptions make sense to me. I believe @sethmlarson has stronger feelings about the I restarted a failing PyPy run (sorry, our PyPy tests are quite flaky), and now the codecov checks work as expected since as you noted coverage is not at 100% yet. For what it's worth, https://codecov.io/gh/urllib3/urllib3/pull/1806/tree/src/urllib3 is the best way to see see covered lines. I'll try to play with it, and will also try to find a way to review it. Please tell us when this runs in production. :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for taking on this task, it's a whole pile of work! 💪
Here's a list of comments and discussion points I could think of.
Hey @sethmlarson, thanks for the quick review. I'll address most of your comments. I wanted to highlight my response to two of them here.
|
@jalopezsilva Thanks for all you're doing for this feature, I'm really happy with the work so far. It's an amazing improvement to the library and I'm excited to be able to ship it to our users. ✨
Also feel free to call me out if I'm totally missing something here, this is a lot to think about this early in the morning. :) |
0d681e2
to
6c84fe3
Compare
Quick update for you @pquentin, @sethmlarson, I'm testing this with a couple of teams in production. We ran into an interesting bug that I thought would share. Do you know why requests by default will attempt to use
I suspect we did this before python had SNI support on the ssl module. ( Less than python 3.2 ) That said I'm surprised we don't have a check for ssl.HAS_SNI in |
@jalopezsilva You're discovering some of the difficult parts of our current TLS situation with urllib3+requests. :) Others and I have voiced concern over having pyOpenSSL be the preferred TLS implementation when available, especially nowadays with SNI on almost all supported platforms. I'd like to remove the unconditional use of pyOpenSSL, that'd definitely be something that would move us forwards. That way on the few platforms without SNI installing As for this feature as it currently stands without BIO support on pyOpenSSL we can't provide TLS+TLS for HTTPS proxies. If we're going to implement it now we'd have to error out and explain to users why they're experiencing the error w/ potential fixes which may include uninstalling pyOpenSSL if Requests still unconditionally patches. Maybe we're fine with that given the low occurrence of TLS+TLS w/ Also are we still unsure about SecureTransport, is there something we can do there? Note as a part of 2.x I'd really like to drop our pyOpenSSL TLS implementation as well. cc @nateprewitt |
I opened a PR on Requests to drop the unconditional monkey-patching: psf/requests#5443 |
Cool, that requests PyOpenSSL change is now released! @jalopezsilva Can we do anything to help? |
Sorry for the lack of updates here! I got sidetracked at work with other priorities as well with everything going on in the world. Production testing has been mostly good, we found some bugs and got some feature requests that teams had. I'll put up a brief summary here:
And that's about it. I'm currently closing up some other projects and my plan is to get back at this on July so we can close it out. I'll post here if I need help with anything! |
Thanks for the update!
@sigmavirus24 I've seen you mention that environment variables were generally a bad idea for urllib3/requests (psf/requests#3070 (comment)), do you think you can expand in order to explain when it's a bad idea and when it's not? It's possible to configure urllib3 with requests adapters, but it's more cumbersome.
This would be really nice if |
If I have to guess this is related to the These environment variables can be used to configure if a proxy should be used or not when contacting a destination. The problem arises when these environment variables modify all of your requests to use a proxy. One of the problems that I've seen in the past is when users use urllib3/requests to contact internal (not requiring a proxy) and external destinations (requiring a proxy). If you unintentionally set the The environment variables I was thinking ( I'm prepping the changes with the environment variables included. We can discuss during code review too if needed. |
957e172
to
f57c734
Compare
All right folks, it's time. I have done my best to test these changes on production and address the bugs that we have identified. I'm updating the PR with the latest changes. For now, I have sent a single commit which adds the I hope to update tomorrow with the second commit (which has the urllib3 integration). Btw, there seems to be an unrelated regression on the Python3.10 CI:
|
This PR aims to add support for HTTPS proxies by adding a class to easily provide TLS in TLS support. TLS within TLS is not supported easily within the ssl library. The SSLSocket actually takes over the existing socket (https://github.com/python/cpython/blob/master/Lib/ssl.py#L999-L1006)
instead of wrapping it entirely. The only way to support to TLS within TLS is with the
SSLContext.wrap_bio
methods.The first commit introduces a class called SSLTransport which wraps a socket in TLS using the provided SSL context. I'm currently in the process of adding unit tests and integration tests but it would be useful if we can merge #1679 for that.
Once I can fully integrate this within
urlib3
I'll perform some production testing on my own to validate the changes work as expected.