Skip to content

Hostname matching doesn't strip trailing '.' when connecting with proxy #2244

@el-deano

Description

@el-deano

Subject

Same issue as #1254 / #1255 only when using a proxy.

Environment

>>> print("OS", platform.platform())
OS Linux-3.10.0-1160.15.2.el7.x86_64-x86_64-with-glibc2.17
>>> print("Python", platform.python_version())
Python 3.9.0
>>> print("urllib3", urllib3.__version__)
urllib3 1.26.4
>>>

Steps to Reproduce

Substitute "someproxy-server.com:8080" with a real proxy server to test this.
Just like #1254 the connection works with github.com but fails with github.com. (trailing dot).

import urllib3
proxy = urllib3.ProxyManager('http://someproxy-server.com:8080') 
# this works
proxy.request('GET', 'https://github.com')
# this fails
proxy.request('GET', 'https://github.com.')

Expected Behavior

The trailing dot for domain when connecting via proxy should be stripped just as it is in a direct connection as fixed in #1255.

Since _match_hostname() is using server_hostname which, in the case of proxy connections, comes from self._tunnel_host instead of self.host, it seems that a .rstrip(".") should either be added when self._tunnel_host is referenced here or when it is constructed from self._proxy_host here or when self,_proxy_host is defined and mutated here. The first option seems the safest, but the last option may be most correct.

Actual Behavior

>>> import urllib3                                                                                                                                                                                               >>> proxy = urllib3.ProxyManager('http://someproxy-server.com:8080')
>>> proxy.request('GET', 'https://github.com')
<urllib3.response.HTTPResponse object at 0x7fce2ad964c0>
>>> proxy.request('GET', 'https://github.com.')
Traceback (most recent call last):
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 696, in urlopen
    self._prepare_proxy(conn)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 964, in _prepare_proxy
    conn.connect()
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connection.py", line 464, in connect
    _match_hostname(cert, self.assert_hostname or server_hostname)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connection.py", line 512, in _match_hostname
    match_hostname(cert, asserted_hostname)
  File "/usr/local/lib/python3.9/ssl.py", line 416, in match_hostname
    raise CertificateError("hostname %r "
ssl.SSLCertVerificationError: ("hostname 'github.com.' doesn't match either of 'github.com', 'www.github.com'",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/request.py", line 74, in request
    return self.request_encode_url(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/request.py", line 96, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/poolmanager.py", line 532, in urlopen
    return super(ProxyManager, self).urlopen(method, url, redirect=redirect, **kw)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/poolmanager.py", line 375, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
    return self.urlopen(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
    return self.urlopen(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
    return self.urlopen(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='github.com.', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError("hostname 'github.com.' doesn't match either of 'github.com', 'www.github.com'")))
>>>

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions