Hostname matching doesn't strip trailing '.' when connecting with proxy #2244
Description
Subject
Same issue as #1254 / #1255 only when using a proxy.
Environment
>>> print("OS", platform.platform())
OS Linux-3.10.0-1160.15.2.el7.x86_64-x86_64-with-glibc2.17
>>> print("Python", platform.python_version())
Python 3.9.0
>>> print("urllib3", urllib3.__version__)
urllib3 1.26.4
>>>
Steps to Reproduce
Substitute "someproxy-server.com:8080" with a real proxy server to test this.
Just like #1254 the connection works with github.com but fails with github.com. (trailing dot).
import urllib3
proxy = urllib3.ProxyManager('http://someproxy-server.com:8080')
# this works
proxy.request('GET', 'https://github.com')
# this fails
proxy.request('GET', 'https://github.com.')
Expected Behavior
The trailing dot for domain when connecting via proxy should be stripped just as it is in a direct connection as fixed in #1255.
Since _match_hostname() is using server_hostname which, in the case of proxy connections, comes from self._tunnel_host instead of self.host, it seems that a .rstrip(".") should either be added when self._tunnel_host is referenced here or when it is constructed from self._proxy_host here or when self,_proxy_host is defined and mutated here. The first option seems the safest, but the last option may be most correct.
Actual Behavior
>>> import urllib3 >>> proxy = urllib3.ProxyManager('http://someproxy-server.com:8080')
>>> proxy.request('GET', 'https://github.com')
<urllib3.response.HTTPResponse object at 0x7fce2ad964c0>
>>> proxy.request('GET', 'https://github.com.')
Traceback (most recent call last):
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 696, in urlopen
self._prepare_proxy(conn)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 964, in _prepare_proxy
conn.connect()
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connection.py", line 464, in connect
_match_hostname(cert, self.assert_hostname or server_hostname)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connection.py", line 512, in _match_hostname
match_hostname(cert, asserted_hostname)
File "/usr/local/lib/python3.9/ssl.py", line 416, in match_hostname
raise CertificateError("hostname %r "
ssl.SSLCertVerificationError: ("hostname 'github.com.' doesn't match either of 'github.com', 'www.github.com'",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/request.py", line 74, in request
return self.request_encode_url(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/request.py", line 96, in request_encode_url
return self.urlopen(method, url, **extra_kw)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/poolmanager.py", line 532, in urlopen
return super(ProxyManager, self).urlopen(method, url, redirect=redirect, **kw)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/poolmanager.py", line 375, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
return self.urlopen(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
return self.urlopen(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
return self.urlopen(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='github.com.', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError("hostname 'github.com.' doesn't match either of 'github.com', 'www.github.com'")))
>>>