search

psf / requests

A simple, yet elegant, HTTP library.
https://requests.readthedocs.io/en/latest/
Apache License 2.0
52.19k stars 9.33k forks source link

What should be Overwritten to ignore all verification in a custom adapter? #6777

Open achapkowski opened 3 months ago

achapkowski commented 3 months ago

Hello,

I wish to use a custom adapter that I can use to access servers with old and expired certificates so I can automate the updating of the SSL certs. The doc isn't really clear, so I consider this a bug.

I have the following:

###########################################################################
class TruststoreAdapter(HTTPAdapter):
    """An adapter for requests.  This supplies the a custom ssl_context to a set of requests."""

    custom_context: truststore.SSLContext | ssl.SSLContext = None

    def __init__(
        self,
        pool_connections=DEFAULT_POOLSIZE,
        pool_maxsize=DEFAULT_POOLSIZE,
        max_retries=DEFAULT_RETRIES,
        pool_block=DEFAULT_POOLBLOCK,
        ssl_context: truststore.SSLContext | ssl.SSLContext | None = None,
    ):
        self.custom_context = ssl_context

        super().__init__(
            pool_connections=pool_connections,
            pool_maxsize=pool_maxsize,
            max_retries=max_retries,
            pool_block=pool_block,
        )

    # ---------------------------------------------------------------------
    def __str__(self) -> str:
        return f"< {self.__class__.__name__} >"

    # ---------------------------------------------------------------------
    def __repr__(self) -> str:
        return f"< {self.__class__.__name__} >"

    # ---------------------------------------------------------------------
    def init_poolmanager(self, connections, maxsize, block=False):
        ctx = self.custom_context
        return super().init_poolmanager(connections, maxsize, block, ssl_context=ctx)

Where the SSL Context is defined as:

ssl_context: truststore.SSLContext = truststore.SSLContext()
ssl_context.check_hostname = False
ssl_context.verify_mode = 0 # No check
nateprewitt commented 3 months ago

Hi @achapkowski, could you clarify what exactly you'd be looking for in the Requests documentation? We cover what the Adapter intent is at a high-level, what the end user chooses to modify is very open-ended. urllib3 provides docs on how to provide a custom SSLContext to their Poolmanager which seems to be the change you're trying to make.

achapkowski commented 3 months ago

@nateprewitt I'll check out this doc and get back in a few. If my answer is there I will close this.

What I am seeing is that if the common name of an SSL certificate has a mismatch, and exception when you provide a custom SSLContext object in the above http adapter. So I was wondering if some other setting needs to be set to not verify common names.