Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Hostname matching doesn't strip trailing '.' when connecting with proxy

See original GitHub issue

Subject

Same issue as https://github.com/urllib3/urllib3/issues/1254 / https://github.com/urllib3/urllib3/pull/1255 only when using a proxy.

Environment

>>> print("OS", platform.platform())
OS Linux-3.10.0-1160.15.2.el7.x86_64-x86_64-with-glibc2.17
>>> print("Python", platform.python_version())
Python 3.9.0
>>> print("urllib3", urllib3.__version__)
urllib3 1.26.4
>>>

Steps to Reproduce

Substitute “someproxy-server.com:8080” with a real proxy server to test this. Just like https://github.com/urllib3/urllib3/issues/1254 the connection works with github.com but fails with github.com. (trailing dot).

import urllib3
proxy = urllib3.ProxyManager('http://someproxy-server.com:8080') 
# this works
proxy.request('GET', 'https://github.com')
# this fails
proxy.request('GET', 'https://github.com.')

Expected Behavior

The trailing dot for domain when connecting via proxy should be stripped just as it is in a direct connection as fixed in https://github.com/urllib3/urllib3/pull/1255.

Since _match_hostname() is using server_hostname which, in the case of proxy connections, comes from self._tunnel_host instead of self.host, it seems that a .rstrip(".") should either be added when self._tunnel_host is referenced here or when it is constructed from self._proxy_host here or when self,_proxy_host is defined and mutated here. The first option seems the safest, but the last option may be most correct.

Actual Behavior

>>> import urllib3                                                                                                                                                                                               >>> proxy = urllib3.ProxyManager('http://someproxy-server.com:8080')
>>> proxy.request('GET', 'https://github.com')
<urllib3.response.HTTPResponse object at 0x7fce2ad964c0>
>>> proxy.request('GET', 'https://github.com.')
Traceback (most recent call last):
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 696, in urlopen
    self._prepare_proxy(conn)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 964, in _prepare_proxy
    conn.connect()
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connection.py", line 464, in connect
    _match_hostname(cert, self.assert_hostname or server_hostname)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connection.py", line 512, in _match_hostname
    match_hostname(cert, asserted_hostname)
  File "/usr/local/lib/python3.9/ssl.py", line 416, in match_hostname
    raise CertificateError("hostname %r "
ssl.SSLCertVerificationError: ("hostname 'github.com.' doesn't match either of 'github.com', 'www.github.com'",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/request.py", line 74, in request
    return self.request_encode_url(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/request.py", line 96, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/poolmanager.py", line 532, in urlopen
    return super(ProxyManager, self).urlopen(method, url, redirect=redirect, **kw)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/poolmanager.py", line 375, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
    return self.urlopen(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
    return self.urlopen(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
    return self.urlopen(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='github.com.', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError("hostname 'github.com.' doesn't match either of 'github.com', 'www.github.com'")))
>>>

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

pquentincommented, Sep 9, 2021

@achapkowski @VaniKulkarni You’re getting hit by #2400, can you please stop commenting about it here?

1reaction

pquentincommented, Sep 24, 2021

@achapkowski Can you please open a new issue with more details about your environment? Your problem seems different, even if it’s also a TLS issue involving proxies