Skip to content

Move to TLS client protocol for http connections #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AaronAtDuo wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Move to TLS client protocol for http connections #191

AaronAtDuo wants to merge 1 commit into from

Conversation

@AaronAtDuo
Copy link
Contributor

@AaronAtDuo AaronAtDuo commented Jan 25, 2023

Since TLS_PROTOCOL is itself deprecated, this is the suggested update. It does technically change the default behavior though:
https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS_CLIENT

The protocol enables [CERT_REQUIRED](https://docs.python.org/3/library/ssl.html#ssl.CERT_REQUIRED) and [check_hostname](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname) by default.
~``

@AaronAtDuo
Copy link
Contributor Author

AaronAtDuo commented Jan 25, 2023

Also I need to rebase but we can start the discussion.

AaronAtDuo
AaronAtDuo commented Jan 25, 2023
View reviewed changes
duo_client/https_wrapper.py
context.load_verify_locations(cafile=ca_certs)
else:
# Can't check hostnames if we're not requiring server certificates
context.check_hostname = False
Copy link
Contributor Author

@AaronAtDuo AaronAtDuo Jan 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PROTOCOL_TLS_CLIENT automatically makes check_hostname True (side note, that means PROTOCOL_SSLv23 and PROTOCOL_TLS don't?) but if we don't require certs, we obviously can't required hostname checking.

@AaronAtDuo
Copy link
Contributor Author

AaronAtDuo commented Jan 25, 2023

This would change the default behavior to start enforcing hostname verification when certificates are in use. Is that a concern?

@AaronAtDuo AaronAtDuo mentioned this pull request Jan 25, 2023
Open
@mbish
Copy link
Contributor

mbish commented Jan 25, 2023

yeah it is. We have a number of tests that disable cert validation

@AaronAtDuo
Copy link
Contributor Author

AaronAtDuo commented Jan 25, 2023

yeah it is. We have a number of tests that disable cert validation

and those are exactly the tests that failed until I added the line about disabling hostname verification.

@AaronAtDuo AaronAtDuo mentioned this pull request Mar 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AaronAtDuo @mbish