Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-urllib3 for openSUSE:Factory checked in at 2021-11-03 17:25:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old) and /work/SRC/openSUSE:Factory/.python-urllib3.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-urllib3" Wed Nov 3 17:25:10 2021 rev:48 rq:928316 version:1.26.7 Changes: -------- --- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes 2021-07-16 22:13:20.054579173 +0200 +++ /work/SRC/openSUSE:Factory/.python-urllib3.new.1890/python-urllib3.changes 2021-11-03 17:25:14.925303845 +0100 @@ -1,0 +2,9 @@ +Tue Oct 26 21:02:38 UTC 2021 - Dirk M��ller <dmueller@suse.com> + +- update to 1.26.7: + * Fixed a bug with HTTPS hostname verification involving IP addresses and lack + of SNI. + * Fixed a bug where IPv6 braces weren't stripped during certificate hostname + matching. + +------------------------------------------------------------------- Old: ---- urllib3-1.26.6.tar.gz New: ---- urllib3-1.26.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-urllib3.spec ++++++ --- /var/tmp/diff_new_pack.oRgeki/_old 2021-11-03 17:25:15.537304180 +0100 +++ /var/tmp/diff_new_pack.oRgeki/_new 2021-11-03 17:25:15.537304180 +0100 @@ -27,7 +27,7 @@ %bcond_with test %endif Name: python-urllib3%{psuffix} -Version: 1.26.6 +Version: 1.26.7 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT ++++++ urllib3-1.26.6.tar.gz -> urllib3-1.26.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/CHANGES.rst new/urllib3-1.26.7/CHANGES.rst --- old/urllib3-1.26.6/CHANGES.rst 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/CHANGES.rst 2021-09-22 20:00:21.000000000 +0200 @@ -1,6 +1,14 @@ Changes ======= +1.26.7 (2021-09-22) +------------------- +* Fixed a bug with HTTPS hostname verification involving IP addresses and lack + of SNI. (Issue #2400) +* Fixed a bug where IPv6 braces weren't stripped during certificate hostname + matching. (Issue #2240) + + 1.26.6 (2021-06-25) ------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/PKG-INFO new/urllib3-1.26.7/PKG-INFO --- old/urllib3-1.26.6/PKG-INFO 2021-06-25 15:20:57.968305300 +0200 +++ new/urllib3-1.26.7/PKG-INFO 2021-09-22 20:00:56.037445500 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: urllib3 -Version: 1.26.6 +Version: 1.26.7 Summary: HTTP library with thread-safe connection pooling, file post, and more. Home-page: https://urllib3.readthedocs.io/ Author: Andrey Petrov @@ -143,6 +143,14 @@ Changes ======= +1.26.7 (2021-09-22) +------------------- +* Fixed a bug with HTTPS hostname verification involving IP addresses and lack + of SNI. (Issue #2400) +* Fixed a bug where IPv6 braces weren't stripped during certificate hostname + matching. (Issue #2240) + + 1.26.6 (2021-06-25) ------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/_version.py new/urllib3-1.26.7/src/urllib3/_version.py --- old/urllib3-1.26.6/src/urllib3/_version.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/src/urllib3/_version.py 2021-09-22 20:00:21.000000000 +0200 @@ -1,2 +1,2 @@ # This file is protected via CODEOWNERS -__version__ = "1.26.6" +__version__ = "1.26.7" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/connection.py new/urllib3-1.26.7/src/urllib3/connection.py --- old/urllib3-1.26.6/src/urllib3/connection.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/src/urllib3/connection.py 2021-09-22 20:00:21.000000000 +0200 @@ -56,6 +56,7 @@ from .util.ssl_ import ( assert_fingerprint, create_urllib3_context, + is_ipaddress, resolve_cert_reqs, resolve_ssl_version, ssl_wrap_socket, @@ -107,6 +108,10 @@ #: Whether this connection verifies the host's certificate. is_verified = False + #: Whether this proxy connection (if used) verifies the proxy host's + #: certificate. + proxy_is_verified = None + def __init__(self, *args, **kw): if not six.PY2: kw.pop("strict", None) @@ -490,14 +495,10 @@ self.ca_cert_dir, self.ca_cert_data, ) - # By default urllib3's SSLContext disables `check_hostname` and uses - # a custom check. For proxies we're good with relying on the default - # verification. - ssl_context.check_hostname = True # If no cert was provided, use only the default options for server # certificate validation - return ssl_wrap_socket( + socket = ssl_wrap_socket( sock=conn, ca_certs=self.ca_certs, ca_cert_dir=self.ca_cert_dir, @@ -506,8 +507,37 @@ ssl_context=ssl_context, ) + if ssl_context.verify_mode != ssl.CERT_NONE and not getattr( + ssl_context, "check_hostname", False + ): + # While urllib3 attempts to always turn off hostname matching from + # the TLS library, this cannot always be done. So we check whether + # the TLS Library still thinks it's matching hostnames. + cert = socket.getpeercert() + if not cert.get("subjectAltName", ()): + warnings.warn( + ( + "Certificate for {0} has no `subjectAltName`, falling back to check for a " + "`commonName` for now. This feature is being removed by major browsers and " + "deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 " + "for details.)".format(hostname) + ), + SubjectAltNameWarning, + ) + _match_hostname(cert, hostname) + + self.proxy_is_verified = ssl_context.verify_mode == ssl.CERT_REQUIRED + return socket + def _match_hostname(cert, asserted_hostname): + # Our upstream implementation of ssl.match_hostname() + # only applies this normalization to IP addresses so it doesn't + # match DNS SANs so we do the same thing! + stripped_hostname = asserted_hostname.strip("u[]") + if is_ipaddress(stripped_hostname): + asserted_hostname = stripped_hostname + try: match_hostname(cert, asserted_hostname) except CertificateError as e: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/connectionpool.py new/urllib3-1.26.7/src/urllib3/connectionpool.py --- old/urllib3-1.26.6/src/urllib3/connectionpool.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/src/urllib3/connectionpool.py 2021-09-22 20:00:21.000000000 +0200 @@ -1020,6 +1020,17 @@ InsecureRequestWarning, ) + if getattr(conn, "proxy_is_verified", None) is False: + warnings.warn( + ( + "Unverified HTTPS connection done to an HTTPS proxy. " + "Adding certificate verification is strongly advised. See: " + "https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html" + "#ssl-warnings" + ), + InsecureRequestWarning, + ) + def connection_from_url(url, **kw): """ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/contrib/_securetransport/low_level.py new/urllib3-1.26.7/src/urllib3/contrib/_securetransport/low_level.py --- old/urllib3-1.26.6/src/urllib3/contrib/_securetransport/low_level.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/src/urllib3/contrib/_securetransport/low_level.py 2021-09-22 20:00:21.000000000 +0200 @@ -188,6 +188,7 @@ # We only want to do that if an error occurs: otherwise, the caller # should free. CoreFoundation.CFRelease(cert_array) + raise return cert_array diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3/util/proxy.py new/urllib3-1.26.7/src/urllib3/util/proxy.py --- old/urllib3-1.26.6/src/urllib3/util/proxy.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/src/urllib3/util/proxy.py 2021-09-22 20:00:21.000000000 +0200 @@ -45,6 +45,7 @@ ssl_version=resolve_ssl_version(ssl_version), cert_reqs=resolve_cert_reqs(cert_reqs), ) + if ( not ca_certs and not ca_cert_dir diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/src/urllib3.egg-info/PKG-INFO new/urllib3-1.26.7/src/urllib3.egg-info/PKG-INFO --- old/urllib3-1.26.6/src/urllib3.egg-info/PKG-INFO 2021-06-25 15:20:57.000000000 +0200 +++ new/urllib3-1.26.7/src/urllib3.egg-info/PKG-INFO 2021-09-22 20:00:55.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: urllib3 -Version: 1.26.6 +Version: 1.26.7 Summary: HTTP library with thread-safe connection pooling, file post, and more. Home-page: https://urllib3.readthedocs.io/ Author: Andrey Petrov @@ -143,6 +143,14 @@ Changes ======= +1.26.7 (2021-09-22) +------------------- +* Fixed a bug with HTTPS hostname verification involving IP addresses and lack + of SNI. (Issue #2400) +* Fixed a bug where IPv6 braces weren't stripped during certificate hostname + matching. (Issue #2240) + + 1.26.6 (2021-06-25) ------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/test/conftest.py new/urllib3-1.26.7/test/conftest.py --- old/urllib3-1.26.6/test/conftest.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/test/conftest.py 2021-09-22 20:00:21.000000000 +0200 @@ -11,6 +11,7 @@ from tornado import ioloop, web from dummyserver.handlers import TestingApp +from dummyserver.proxy import ProxyHandler from dummyserver.server import HAS_IPV6, run_tornado_app from dummyserver.testcase import HTTPSDummyServerTestCase from urllib3.util import ssl_ @@ -30,16 +31,21 @@ ServerConfig = collections.namedtuple("ServerConfig", ["host", "port", "ca_certs"]) +def _write_cert_to_dir(cert, tmpdir, file_prefix="server"): + cert_path = str(tmpdir / ("%s.pem" % file_prefix)) + key_path = str(tmpdir / ("%s.key" % file_prefix)) + cert.private_key_pem.write_to_path(key_path) + cert.cert_chain_pems[0].write_to_path(cert_path) + certs = {"keyfile": key_path, "certfile": cert_path} + return certs + + @contextlib.contextmanager def run_server_in_thread(scheme, host, tmpdir, ca, server_cert): ca_cert_path = str(tmpdir / "ca.pem") - server_cert_path = str(tmpdir / "server.pem") - server_key_path = str(tmpdir / "server.key") ca.cert_pem.write_to_path(ca_cert_path) - server_cert.private_key_pem.write_to_path(server_key_path) - server_cert.cert_chain_pems[0].write_to_path(server_cert_path) - server_certs = {"keyfile": server_key_path, "certfile": server_cert_path} + server_certs = _write_cert_to_dir(server_cert, tmpdir) io_loop = ioloop.IOLoop.current() app = web.Application([(r".*", TestingApp)]) server, port = run_tornado_app(app, io_loop, server_certs, scheme, host) @@ -53,6 +59,39 @@ server_thread.join() +@contextlib.contextmanager +def run_server_and_proxy_in_thread( + proxy_scheme, proxy_host, tmpdir, ca, proxy_cert, server_cert +): + ca_cert_path = str(tmpdir / "ca.pem") + ca.cert_pem.write_to_path(ca_cert_path) + + server_certs = _write_cert_to_dir(server_cert, tmpdir) + proxy_certs = _write_cert_to_dir(proxy_cert, tmpdir, "proxy") + + io_loop = ioloop.IOLoop.current() + server = web.Application([(r".*", TestingApp)]) + server, port = run_tornado_app(server, io_loop, server_certs, "https", "localhost") + server_config = ServerConfig("localhost", port, ca_cert_path) + + proxy = web.Application([(r".*", ProxyHandler)]) + proxy_app, proxy_port = run_tornado_app( + proxy, io_loop, proxy_certs, proxy_scheme, proxy_host + ) + proxy_config = ServerConfig(proxy_host, proxy_port, ca_cert_path) + + server_thread = threading.Thread(target=io_loop.start) + server_thread.start() + + yield (proxy_config, server_config) + + io_loop.add_callback(server.stop) + io_loop.add_callback(proxy_app.stop) + io_loop.add_callback(io_loop.stop) + + server_thread.join() + + @pytest.fixture def no_san_server(tmp_path_factory): tmpdir = tmp_path_factory.mktemp("certs") @@ -65,6 +104,20 @@ @pytest.fixture +def no_san_proxy(tmp_path_factory): + tmpdir = tmp_path_factory.mktemp("certs") + ca = trustme.CA() + # only common name, no subject alternative names + proxy_cert = ca.issue_cert(common_name=u"localhost") + server_cert = ca.issue_cert(u"localhost") + + with run_server_and_proxy_in_thread( + "https", "localhost", tmpdir, ca, proxy_cert, server_cert + ) as cfg: + yield cfg + + +@pytest.fixture def no_localhost_san_server(tmp_path_factory): tmpdir = tmp_path_factory.mktemp("certs") ca = trustme.CA() @@ -76,7 +129,37 @@ @pytest.fixture -def ip_san_server(tmp_path_factory): +def ipv4_san_proxy(tmp_path_factory): + tmpdir = tmp_path_factory.mktemp("certs") + ca = trustme.CA() + # IP address in Subject Alternative Name + proxy_cert = ca.issue_cert(u"127.0.0.1") + + server_cert = ca.issue_cert(u"localhost") + + with run_server_and_proxy_in_thread( + "https", "127.0.0.1", tmpdir, ca, proxy_cert, server_cert + ) as cfg: + yield cfg + + +@pytest.fixture +def ipv6_san_proxy(tmp_path_factory): + tmpdir = tmp_path_factory.mktemp("certs") + ca = trustme.CA() + # IP addresses in Subject Alternative Name + proxy_cert = ca.issue_cert(u"::1") + + server_cert = ca.issue_cert(u"localhost") + + with run_server_and_proxy_in_thread( + "https", "::1", tmpdir, ca, proxy_cert, server_cert + ) as cfg: + yield cfg + + +@pytest.fixture +def ipv4_san_server(tmp_path_factory): tmpdir = tmp_path_factory.mktemp("certs") ca = trustme.CA() # IP address in Subject Alternative Name diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/test/contrib/test_pyopenssl.py new/urllib3-1.26.7/test/contrib/test_pyopenssl.py --- old/urllib3-1.26.6/test/contrib/test_pyopenssl.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/test/contrib/test_pyopenssl.py 2021-09-22 20:00:21.000000000 +0200 @@ -34,7 +34,7 @@ from ..test_util import TestUtilSSL # noqa: E402, F401 from ..with_dummyserver.test_https import ( # noqa: E402, F401 TestHTTPS, - TestHTTPS_IPSAN, + TestHTTPS_IPV4SAN, TestHTTPS_IPv6Addr, TestHTTPS_IPV6SAN, TestHTTPS_NoSAN, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/test/contrib/test_securetransport.py new/urllib3-1.26.7/test/contrib/test_securetransport.py --- old/urllib3-1.26.6/test/contrib/test_securetransport.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/test/contrib/test_securetransport.py 2021-09-22 20:00:21.000000000 +0200 @@ -1,4 +1,5 @@ # -*- coding: utf-8 -*- +import base64 import contextlib import socket import ssl @@ -52,3 +53,15 @@ ws = WrappedSocket(s) with pytest.raises(ssl.SSLError): ws._custom_validate(True, b"") + + +def test_no_crash_with_invalid_trust_bundle(): + invalid_cert = base64.b64encode(b"invalid-cert") + cert_bundle = ( + b"-----BEGIN CERTIFICATE-----\n" + invalid_cert + b"\n-----END CERTIFICATE-----" + ) + + with contextlib.closing(socket.socket()) as s: + ws = WrappedSocket(s) + with pytest.raises(ssl.SSLError): + ws._custom_validate(True, cert_bundle) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/test/test_connection.py new/urllib3-1.26.7/test/test_connection.py --- old/urllib3-1.26.6/test/test_connection.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/test/test_connection.py 2021-09-22 20:00:21.000000000 +0200 @@ -43,6 +43,42 @@ ) assert e._peer_cert == cert + def test_match_hostname_ip_address_ipv6(self): + cert = {"subjectAltName": (("IP Address", "1:2::2:1"),)} + asserted_hostname = "1:2::2:2" + try: + with mock.patch("urllib3.connection.log.warning") as mock_log: + _match_hostname(cert, asserted_hostname) + except CertificateError as e: + assert "hostname '1:2::2:2' doesn't match '1:2::2:1'" in str(e) + mock_log.assert_called_once_with( + "Certificate did not match expected hostname: %s. Certificate: %s", + "1:2::2:2", + {"subjectAltName": (("IP Address", "1:2::2:1"),)}, + ) + assert e._peer_cert == cert + + def test_match_hostname_dns_with_brackets_doesnt_match(self): + cert = { + "subjectAltName": ( + ("DNS", "localhost"), + ("IP Address", "localhost"), + ) + } + asserted_hostname = "[localhost]" + with pytest.raises(CertificateError) as e: + _match_hostname(cert, asserted_hostname) + assert ( + "hostname '[localhost]' doesn't match either of 'localhost', 'localhost'" + in str(e.value) + ) + + def test_match_hostname_ip_address_ipv6_brackets(self): + cert = {"subjectAltName": (("IP Address", "1:2::2:1"),)} + asserted_hostname = "[1:2::2:1]" + # Assert no error is raised + _match_hostname(cert, asserted_hostname) + def test_recent_date(self): # This test is to make sure that the RECENT_DATE value # doesn't get too far behind what the current date is. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/test/with_dummyserver/test_https.py new/urllib3-1.26.7/test/with_dummyserver/test_https.py --- old/urllib3-1.26.6/test/with_dummyserver/test_https.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/test/with_dummyserver/test_https.py 2021-09-22 20:00:21.000000000 +0200 @@ -859,29 +859,25 @@ assert warn.called -class TestHTTPS_IPSAN: - def test_can_validate_ip_san(self, ip_san_server): +class TestHTTPS_IPV4SAN: + def test_can_validate_ip_san(self, ipv4_san_server): """Ensure that urllib3 can validate SANs with IP addresses in them.""" - try: - import ipaddress # noqa: F401 - except ImportError: - pytest.skip("Only runs on systems with an ipaddress module") - with HTTPSConnectionPool( - ip_san_server.host, - ip_san_server.port, + ipv4_san_server.host, + ipv4_san_server.port, cert_reqs="CERT_REQUIRED", - ca_certs=ip_san_server.ca_certs, + ca_certs=ipv4_san_server.ca_certs, ) as https_pool: r = https_pool.request("GET", "/") assert r.status == 200 class TestHTTPS_IPv6Addr: - def test_strip_square_brackets_before_validating(self, ipv6_addr_server): + @pytest.mark.parametrize("host", ["::1", "[::1]"]) + def test_strip_square_brackets_before_validating(self, ipv6_addr_server, host): """Test that the fix for #760 works.""" with HTTPSConnectionPool( - "[::1]", + host, ipv6_addr_server.port, cert_reqs="CERT_REQUIRED", ca_certs=ipv6_addr_server.ca_certs, @@ -891,15 +887,11 @@ class TestHTTPS_IPV6SAN: - def test_can_validate_ipv6_san(self, ipv6_san_server): + @pytest.mark.parametrize("host", ["::1", "[::1]"]) + def test_can_validate_ipv6_san(self, ipv6_san_server, host): """Ensure that urllib3 can validate SANs with IPv6 addresses in them.""" - try: - import ipaddress # noqa: F401 - except ImportError: - pytest.skip("Only runs on systems with an ipaddress module") - with HTTPSConnectionPool( - "[::1]", + host, ipv6_san_server.port, cert_reqs="CERT_REQUIRED", ca_certs=ipv6_san_server.ca_certs, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/urllib3-1.26.6/test/with_dummyserver/test_proxy_poolmanager.py new/urllib3-1.26.7/test/with_dummyserver/test_proxy_poolmanager.py --- old/urllib3-1.26.6/test/with_dummyserver/test_proxy_poolmanager.py 2021-06-25 15:20:25.000000000 +0200 +++ new/urllib3-1.26.7/test/with_dummyserver/test_proxy_poolmanager.py 2021-09-22 20:00:21.000000000 +0200 @@ -3,6 +3,7 @@ import shutil import socket import tempfile +import warnings from test import ( LONG_TIMEOUT, SHORT_TIMEOUT, @@ -21,11 +22,13 @@ from urllib3.connectionpool import VerifiedHTTPSConnection, connection_from_url from urllib3.exceptions import ( ConnectTimeoutError, + InsecureRequestWarning, MaxRetryError, ProxyError, ProxySchemeUnknown, ProxySchemeUnsupported, SSLError, + SubjectAltNameWarning, ) from urllib3.poolmanager import ProxyManager, proxy_from_url from urllib3.util.ssl_ import create_urllib3_context @@ -213,6 +216,24 @@ assert isinstance(e.value.reason, SSLError) assert "doesn't match" in str(e.value.reason) + @onlyPy3 + def test_proxy_verified_warning(self): + """Skip proxy verification to validate warnings are generated""" + with warnings.catch_warnings(record=True) as w: + with proxy_from_url(self.https_proxy_url, cert_reqs="NONE") as https: + r = https.request("GET", "%s/" % self.https_url) + assert r.status == 200 + assert len(w) == 2 # We expect two warnings (proxy, destination) + assert w[0].category == InsecureRequestWarning + assert w[1].category == InsecureRequestWarning + messages = set(str(x.message) for x in w) + expected = [ + "Unverified HTTPS request is being made to host 'localhost'", + "Unverified HTTPS connection done to an HTTPS proxy.", + ] + for warn_message in expected: + assert [msg for msg in messages if warn_message in expected] + def test_redirect(self): with proxy_from_url(self.proxy_url) as http: r = http.request( @@ -565,3 +586,35 @@ assert "hostname 'localhost' doesn't match" in str( e.value.reason ) or "Hostname mismatch" in str(e.value.reason) + + @onlyPy3 + def test_https_proxy_ipv4_san(self, ipv4_san_proxy): + proxy, server = ipv4_san_proxy + proxy_url = "https://%s:%s" % (proxy.host, proxy.port) + destination_url = "https://%s:%s" % (server.host, server.port) + with proxy_from_url(proxy_url, ca_certs=proxy.ca_certs) as https: + r = https.request("GET", destination_url) + assert r.status == 200 + + @onlyPy3 + def test_https_proxy_ipv6_san(self, ipv6_san_proxy): + proxy, server = ipv6_san_proxy + proxy_url = "https://[%s]:%s" % (proxy.host, proxy.port) + destination_url = "https://%s:%s" % (server.host, server.port) + with proxy_from_url(proxy_url, ca_certs=proxy.ca_certs) as https: + r = https.request("GET", destination_url) + assert r.status == 200 + + @onlyPy3 + def test_https_proxy_common_name_warning(self, no_san_proxy): + proxy, server = no_san_proxy + proxy_url = "https://%s:%s" % (proxy.host, proxy.port) + destination_url = "https://%s:%s" % (server.host, server.port) + + with warnings.catch_warnings(record=True) as w: + with proxy_from_url(proxy_url, ca_certs=proxy.ca_certs) as https: + r = https.request("GET", destination_url) + assert r.status == 200 + + assert len(w) == 1 + assert w[0].category == SubjectAltNameWarning