Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to request a private URL endpoint with custom SNI and self-signed CA when the proxy is set #6900

Open
bughandler opened this issue Feb 19, 2025 · 0 comments · May be fixed by #6901
Open

Unable to request a private URL endpoint with custom SNI and self-signed CA when the proxy is set #6900

bughandler opened this issue Feb 19, 2025 · 0 comments · May be fixed by #6901

Comments

@bughandler
Copy link

Recently I was using requests_toolbelt alongside the requests library, more specifically, I was leveraging the HostHeaderSSLAdapter from requests_toolbelt to make sure I could request a private URL endpoint (e.g. https://1.2.3.4:5678/api/check) with the custom SNI and self-signed CA certificate.
It works great until I try to request the same thing with a proxy, and it starts to occur the SSL verification exception as follows:

requests.exceptions.SSLError: HTTPSConnectionPool(host='1.2.3.4', port=5678): Max retries exceeded with url: /api/check_token (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '1.2.3.4:'. (_ssl.c:1006)")))

I thought this was a bug related to the requests_toolbelt at first, like the existing bug report #276, but after doing some digging, I'm pretty sure it is bound to the requests itself, hence I report the bug here and a PR that for it later.

Expected Result

Everything works the same way with or without a proxy.

Actual Result

  • Private URL endpoint + custom SNI + self-signed CA ✅
  • Private URL endpoint + custom SNI + self-signed CA + HTTP Proxy

Reproduction Steps

import requests
from requests_toolbelt.adapters.host_header_ssl import HostHeaderSSLAdapter

session = requests.Session()
session.trust_env = False
session.mount('https://', HostHeaderSSLAdapter())
# Modify http://127.0.0.1:20809 to your actual proxy url
session.proxies.update({'https': 'http://127.0.0.1:20809',
                        'http': 'http://127.0.0.1:20809'})
# Modify https://1.2.3.4:5678/api/check to your actual private URL endpoint
resp = session.get('https://1.2.3.4:5678/api/check',
                   headers={'Host': '{YOUR_HOST_NAME}'},
                   verify='{YOUR_SELF_SIGNED_CA_FILE}')
print(resp.status_code, resp.content)

System Information

No need
@bughandler bughandler linked a pull request Feb 19, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix SSL verification error bughandler/requests
1 participant
@bughandler