while this is included with and gets updated through requests, it’d be better to include it separately so we can get certifi updates more frequently rather than waiting on requests to put out a release
the secure extra installs certifi and other things we’ll need to verify HTTPS
PyOpenSSL
Because we’re using python 2.7.4 we don’t have the latest ssl changes backported from python3. They were only added to 2.7.9, so until we can upgrade to that PyOpenSSL provides newer TLS protocol support and security improvements.
This is why we inject pyopenssl into urllib3
SNI Support
Certifi
Provides us with up to date root certificates that are bundled with Mozilla and ensures we can verify https
Addresses InsecurePlatformWarning
Certain Python platforms (specifically, versions of Python earlier than 2.7.9) have restrictions in their ssl module that limit the configuration that urllib3 can apply. In particular, this can cause HTTPS requests that would succeed on more featureful platforms to fail, and can cause certain security features to be unavailable.
Addresses SNIMissingWarning
Certain Python distributions (specifically, versions of Python earlier than 2.7.9) and older OpenSSLs have restrictions that prevent them from using the SNI (Server Name Indication) extension. This can cause unexpected behaviour when making some HTTPS requests, usually causing the server to present the a TLS certificate that is not valid for the website you’re trying to access.
We should be verifying HTTPS requests by default, because security. This will enable HTTPS verification by default, meaning we check that a server’s certificate is signed by a trusted certificate authority.
Furthermore, it temporarily uses older, insecure, root certificates from mozilla (old_where()) to support cross-signed certificates until we can update to 2.7.9 or update openssl.
We still do not verify HTTPS requests for sync-engine-eas. We have a custom HTTPAdapter called RetryHTTPAdapter that does not do verification, probably because our customers are using self-signed certs. I’ve updated that adapter to use ssl.PROTOCOL_SSLV23 to ensure greatest compatibility. While eavesdroppers wouldn’t be able to listen in on the traffic, the connection is still susceptible to a MITM attack. This is why we don't expose any sensitive information through webhooks currently.
What this PR does:
Addresses
InsecurePlatformWarning
Addresses
SNIMissingWarning
We should be verifying HTTPS requests by default, because security. This will enable HTTPS verification by default, meaning we check that a server’s certificate is signed by a trusted certificate authority.
Furthermore, it temporarily uses older, insecure, root certificates from mozilla (
old_where()
) to support cross-signed certificates until we can update to 2.7.9 or update openssl.We still do not verify HTTPS requests for sync-engine-eas. We have a custom
HTTPAdapter
calledRetryHTTPAdapter
that does not do verification, probably because our customers are using self-signed certs. I’ve updated that adapter to use ssl.PROTOCOL_SSLV23 to ensure greatest compatibility. While eavesdroppers wouldn’t be able to listen in on the traffic, the connection is still susceptible to a MITM attack. This is why we don't expose any sensitive information through webhooks currently.