Skip to content

Inject SSL context into urllib3 ProxyManager, too #13343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 21, 2025
Merged

Inject SSL context into urllib3 ProxyManager, too #13343

merged 1 commit into from
May 21, 2025

Conversation

ichard26
Copy link
Member

@ichard26 ichard26 commented Apr 21, 2025
edited
Loading

When a proxy is involved, requests uses a urllib3 proxy manager instead of the pool manager. We only inject our SSL context into the pool manager, which means the truststore context is lost when a proxy is set.

We can modify proxy manager construction by overriding proxy_manager_for on the requests adapters as described here: psf/requests#6109 (comment)

I have no idea how to write a test for this (at least for the time being), so @schribl I'd appreciate if you could check whether this fixes your issue or not. You can install this branch via pip install https://github.com/ichard26/pip/archive/bug/lost-ssl-context.zip. No rush!

Should fix #13288.

@ichard26
Inject SSL context into urllib3 ProxyManager, too
6e2a933 
When a proxy is involved, requests uses a urllib3 proxy manager instead of
the pool manager. We only inject our SSL context into the pool manager,
which means the truststore context is lost when a proxy is set.

We can modify proxy manager construction by overriding proxy_manager_for
on the requests adapters.
@ichard26 ichard26 added this to the 25.2 milestone Apr 23, 2025
@schribl
Copy link

schribl commented Apr 26, 2025

@ichard26 I currently have no access to the system I encountered it, but I will test it in roughly 2 weeks. Thanks a lot for investigating it!

@ichard26
Copy link
Member Author

We're not in a rush, no worries!

@schribl
Copy link

schribl commented May 20, 2025

@ichard26 I finally got to testing your code change and it actually fixes the issue for me!

So I did get a reproducing environment (working with pip < 24.2) and updated to the latest pip afterwards the issue was the same as described in #13288 . When installing the zip file via pip I was afterwards able to install packages without any other change to the env. Installing then again pip 25.1.1 and the issue appeared again.

Thanks a lot for the investigation and the fix!

@ichard26 ichard26 merged commit 30807c4 into pypa:main May 21, 2025
29 checks passed
@ichard26
Copy link
Member Author

Thank you @schribl, glad to hear that this fixes the issue for you!

@ichard26 ichard26 deleted the bug/lost-ssl-context branch May 21, 2025 01:34
This was referenced May 26, 2025
Merged
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 5, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@uranusjr uranusjr uranusjr approved these changes

Assignees
No one assigned
Labels
bot:chronographer:provided
Projects
None yet
Milestone
25.2
Development

Successfully merging this pull request may close these issues.

pip with truststore and proxy can use incorrect ssl_context
3 participants
@ichard26 @schribl @uranusjr