Use SNI for ssl connections #109
Conversation
…t, `wrap_socket()` does not allow this If explicit `server_hostname` ssl option is specified, it is used as SNI, otherwise the content of the `Host` HTTP header or the host from the requested URL
|
Does anybody want to get it merged? |
|
Plese fix all existing test cases, and also add test cases for the things you intend to fix with your pull request. Also, avoiding further external dependencies would be great. |
|
At the moment I created this PR, all tests passed, however, it seems, that google changed And I 'm bit confused about why you asked
because that is what I added to |
because that is what I added to test_ssl.py. If that is not enough, could you please point what I do not cover with them? Sorry, my fault, had missed that when I briefly looked over it. Didn't go through it thoroughly, as the tests were still failing. I suggest to replace google with http://httpbin.org/ if the issues remain, for all occurences of google in the tests. |
|
Ok, here is the update. |
|
About |
|
hmm, I'll see if I manage to extract it on the weekend. this is dev Dep anyway, so I thought it wouldn't be that bad |
|
Sure. And thanks already for contributing to our little project here! |
|
It seems there is more than 30 lines, as it makes use of of TLSRecord, which inherits from base Packet class , so it would be cumbersome to try to extract all this machinery from the dpkt. |
There was a problem hiding this comment.
Thanks for this contribution. Supporting SNI is a must to keep this library alive.
I'm confused by the failing CI, has dpkt introduced a breaking change ?
I will gratefully merge this as soon as the CI is green.
For the added dependency don't copy source code. I understand Michael's point of view but I don't think it worth for a test dep.
| insecure=False, | ||
| proxy_host=None, proxy_port=None, version=HTTP_11, | ||
| headers_type=Headers): | ||
| if headers is None: |
There was a problem hiding this comment.
I don't get this change, what's the point ? I'm out of the python world for some time now...
There was a problem hiding this comment.
It's about this https://docs.python-guide.org/writing/gotchas/#mutable-default-arguments for headers
|
Apparently, Travis did not install the dev requirements, I tried to correct it in the config, but someone probably need to actually install it |
|
would anybody please try to install the travis script if I'm right about the cause of the error? |
setup.py
Outdated
| install_requires=requirements) | ||
| install_requires=requirements, | ||
| extras_require={ | ||
| 'dev': get_requirements('requirements-dev.txt'), |
There was a problem hiding this comment.
Does this handle the "-r requirements.txt" correctly?
.travis.yml
Outdated
| @@ -6,7 +6,7 @@ python: | |||
| - "3.5" | |||
| - "3.6" | |||
| install: | |||
| - "pip install ." | |||
| - "pip install .[dev]" | |||
There was a problem hiding this comment.
How about
- pip install -r requirements-dev.txt
- pip install .
Can't find a proper documentation for this [] syntax right now. Keeping simple things simple, and that should work in any case
There was a problem hiding this comment.
Also
before_install:
- pip install -U pip
might be an option, in case the 9.0.1 on Travis is not recent enough for that extras_require syntax.
|
I have no idea why the travis build hangs, tox on my machine feels good: |
|
Did you try it with the same dependency versions like on travis? Just to exclude issues with them.
|
|
I now think this is somehow related with hostname resolving, I 'll try to mock it, because I currently rely on |
|
Just for the record, tox also runs fine on my machine. You might try to set -v and -s for pytest, to get some more details into the travis log, and temporarily throw in some debug prints into the test case. It might hang in some other place you didn't expect, some gevent loop story or whatever. |
|
I think that is it |
|
Looks good to me. @gwik ? |
|
LGTM. Thx !
…On Thu 25 Oct 2018 at 16:07, Michael ***@***.***> wrote:
Looks good to me. @gwik <https://github.com/gwik> ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#109 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAArmgW8XHTan5gBSJYsiM8W0-Xzrb53ks5uocWLgaJpZM4XWFB9>
.
|
|
It was tough, thanks) |
|
Just went through some older bug reports to see if they were related and possibly fixed. Trying Chrome and Firefox seem to have no issues with that site and get a correct certificate. Might be worth to have another look I guess. |
I'm not hyper experienced with SSL and don't know why we shouldn't make this context default context , but without context there is no way to use SNI, because gevent/_ssl3.py: def wrap_socket(sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True,
ciphers=None):
return SSLSocket(sock=sock, keyfile=keyfile, certfile=certfile,
server_side=server_side, cert_reqs=cert_reqs,
ssl_version=ssl_version, ca_certs=ca_certs,
do_handshake_on_connect=do_handshake_on_connect,
suppress_ragged_eofs=suppress_ragged_eofs,
ciphers=ciphers) |
|
Me neither, but if that context is necessary for SNI to work, it should be set. Or is there any harmful side effect I'd be missing? |
No description provided.