Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
TLS-in-TLS not working with IP proxies
See original GitHub issueSubject
I’m trying to send a GET HTTP request to an HTTPS website through a secure proxy. The proxy only allows TLS connection with basic authentication.
To achieve this, I use a ProxyManager.
As result the following exceptions is triggered:
ValueError: check_hostname requires server_hostname
Environment
>>> print("OS", platform.platform())
OS Linux-5.12.13-x86_64-Intel-R-_Core-TM-_i7-8750H_CPU_@_2.20GHz-with-glibc2.33
>>> print("Python", platform.python_version())
Python 3.9.6
>>> print("urllib3", urllib3.__version__)
urllib3 1.25.11
Steps to Reproduce
You need an HTTPS proxy with basic authentication and an HTTPS website as an example:
def get(url, proxy, username, password):
headers = urllib3.make_headers(proxy_basic_auth=f'{username}:{password}')
proxy = urllib3.ProxyManager('https://{}'.format(proxy), proxy_headers=headers)
response = proxy.request("GET", url) # Exception trigger here
return (response)
Expected Behavior
Website body page as a response.
Actual Behavior
Exception triggered:
Traceback (most recent call last):
[...]
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/request.py", line 74, in request
return self.request_encode_url(
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/request.py", line 96, in request_encode_url
return self.urlopen(method, url, **extra_kw)
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/poolmanager.py", line 532, in urlopen
return super(ProxyManager, self).urlopen(method, url, redirect=redirect, **kw)
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/poolmanager.py", line 375, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/connectionpool.py", line 696, in urlopen
self._prepare_proxy(conn)
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/connectionpool.py", line 964, in _prepare_proxy
conn.connect()
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/connection.py", line 359, in connect
conn = self._connect_tls_proxy(hostname, conn)
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/connection.py", line 500, in _connect_tls_proxy
return ssl_wrap_socket(
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
File "/home/janemba/.virtualenv/test-rCp672mu-py3.9/lib64/python3.9/site-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock)
File "/usr/lib64/python3.9/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib64/python3.9/ssl.py", line 997, in _create
raise ValueError("check_hostname requires server_hostname")
ValueError: check_hostname requires server_hostname
Issue Analytics
- State:
- Created 2 years ago
- Comments:17 (9 by maintainers)
Top Results From Across the Web
Why is my IP address hidden over HTTPS but not HTTP while I ...
When you use HTTPS (HTTP+TLS), the proxy can't access the headers - as they are encrypted, and is thus unable to add the...
Read more >SIP trunk does not register using proxy IP and TLS | 3CX Forums
Hi! I encounterd the following problem using current V16.0.8.16 on Windows 10. Our provider "3" in Austria provides a proxy without a domain ......
Read more >How to Configure TLS with SIP Proxy - Barracuda Campus
Try the following solutions: Ensure that you have properly configured the PBX and enabled TLS support in it. The root CA certificate must...
Read more >SMTP-Proxy: TLS - WatchGuard Technologies
The SMTP Proxy supports both implicit and explicit TLS. In the SMTP proxy action, the TLS settings are for implicit TLS and the...
Read more >HTTPS connections over proxy servers - Stack Overflow
TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@Kcam9908 Did you read my reply to you directly above? In summary we don’t think the issue you’re seeing will be resolved by the PR you mentioned.
Your organization might consider sponsoring our development efforts if urllib3 is critical to your business.
Congratulations, you just found a bug! We send SNI even though we should not when the proxy is an IP. (That’s what the error message says.)
A workaround would be to use an hostname if you have one or just stop using TLS-in-TLS. (This has nothing to do with basic authentication.)