Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What should be Overwritten to ignore all verification in a custom adapter? #6777

Open
achapkowski opened this issue Jul 31, 2024 · 2 comments
Open

What should be Overwritten to ignore all verification in a custom adapter? #6777

achapkowski opened this issue Jul 31, 2024 · 2 comments

Comments

@achapkowski
Copy link

Hello,

I wish to use a custom adapter that I can use to access servers with old and expired certificates so I can automate the updating of the SSL certs. The doc isn't really clear, so I consider this a bug.

I have the following:

###########################################################################
class TruststoreAdapter(HTTPAdapter):
    """An adapter for requests.  This supplies the a custom ssl_context to a set of requests."""

    custom_context: truststore.SSLContext | ssl.SSLContext = None

    def __init__(
        self,
        pool_connections=DEFAULT_POOLSIZE,
        pool_maxsize=DEFAULT_POOLSIZE,
        max_retries=DEFAULT_RETRIES,
        pool_block=DEFAULT_POOLBLOCK,
        ssl_context: truststore.SSLContext | ssl.SSLContext | None = None,
    ):
        self.custom_context = ssl_context

        super().__init__(
            pool_connections=pool_connections,
            pool_maxsize=pool_maxsize,
            max_retries=max_retries,
            pool_block=pool_block,
        )

    # ---------------------------------------------------------------------
    def __str__(self) -> str:
        return f"< {self.__class__.__name__} >"

    # ---------------------------------------------------------------------
    def __repr__(self) -> str:
        return f"< {self.__class__.__name__} >"

    # ---------------------------------------------------------------------
    def init_poolmanager(self, connections, maxsize, block=False):
        ctx = self.custom_context
        return super().init_poolmanager(connections, maxsize, block, ssl_context=ctx)

Where the SSL Context is defined as:

ssl_context: truststore.SSLContext = truststore.SSLContext()
ssl_context.check_hostname = False
ssl_context.verify_mode = 0 # No check
@nateprewitt
Copy link
Member

Hi @achapkowski, could you clarify what exactly you'd be looking for in the Requests documentation? We cover what the Adapter intent is at a high-level, what the end user chooses to modify is very open-ended. urllib3 provides docs on how to provide a custom SSLContext to their Poolmanager which seems to be the change you're trying to make.

@achapkowski
Copy link
Author

@nateprewitt I'll check out this doc and get back in a few. If my answer is there I will close this.

What I am seeing is that if the common name of an SSL certificate has a mismatch, and exception when you provide a custom SSLContext object in the above http adapter. So I was wondering if some other setting needs to be set to not verify common names.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@achapkowski @nateprewitt