Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move to TLS client protocol for http connections #191

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Move to TLS client protocol for http connections #191

wants to merge 1 commit into from

Conversation

AaronAtDuo
Copy link
Contributor

Since TLS_PROTOCOL is itself deprecated, this is the suggested update. It does technically change the default behavior though:
https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS_CLIENT

The protocol enables [CERT_REQUIRED](https://docs.python.org/3/library/ssl.html#ssl.CERT_REQUIRED) and [check_hostname](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname) by default.
~``

@AaronAtDuo
Copy link
Contributor Author

Also I need to rebase but we can start the discussion.

AaronAtDuo
AaronAtDuo commented Jan 25, 2023
View reviewed changes
duo_client/https_wrapper.py
if cert_file:
context.load_cert_chain(cert_file, key_file)
if ca_certs:
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations(cafile=ca_certs)
else:
# Can't check hostnames if we're not requiring server certificates
context.check_hostname = False
Copy link
Contributor Author

@AaronAtDuo AaronAtDuo Jan 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PROTOCOL_TLS_CLIENT automatically makes check_hostname True (side note, that means PROTOCOL_SSLv23 and PROTOCOL_TLS don't?) but if we don't require certs, we obviously can't required hostname checking.

@AaronAtDuo
Copy link
Contributor Author

This would change the default behavior to start enforcing hostname verification when certificates are in use. Is that a concern?

@AaronAtDuo AaronAtDuo mentioned this pull request Jan 25, 2023
Open
@mbish
Copy link
Contributor

mbish commented Jan 25, 2023

yeah it is. We have a number of tests that disable cert validation

@AaronAtDuo
Copy link
Contributor Author

yeah it is. We have a number of tests that disable cert validation

and those are exactly the tests that failed until I added the line about disabling hostname verification.

@AaronAtDuo AaronAtDuo mentioned this pull request Mar 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AaronAtDuo @mbish