requests icon indicating copy to clipboard operation
requests copied to clipboard

Published 20 hours ago verified publisher icon psf

Misusing of system-wide proxy on Windows / HTTPS connections over system-wide proxy on Windows do not work

Open ValdikSS opened this issue 3 years ago • 2 comments

On Windows 10 and 11, if a system-wide proxy is configured in the OS settings, Requests won't load HTTPS websites. Instead of the regular CONNECT header, Requests sends TLS request to the proxy server (ip and port). The TLS ClientHello does not have Server Name Indication field, that's why I assume that Requests misinterprets the proxy as a Secure Web Proxy (a regular proxy with TLS encapsulation on top), which Windows does not support.

Expected Result

If system-wide proxy is configured in Windows, Requests sends CONNECT header to the proxy server when HTTPS website is requested.

Actual Result

If system-wide proxy is configured in Windows, Requests sends TLS request to the proxy address when HTTPS website is requested.

Reproduction Steps

  1. Configure system-wide proxy on Windows
import requests
requests.get("https://w3.org/")

Result: My proxy does not respond to the packets it does not understand, and I receive the following error: HTTPSConnectionPool(host='w3.org, port=443): Max retries exceeded with url: / (Caused by ProxyError('Cannot connect to proxy.', timeout('_ssl.c:1114: The handshake operation timed out')))

System Information

$ python -m requests.help

{
  "chardet": {
    "version": null
  },
  "charset_normalizer": {
    "version": "2.0.12"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "3.3"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.10.4"
  },
  "platform": {
    "release": "10",
    "system": "Windows"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.27.1"
  },
  "system_ssl": {
    "version": "101010ef"
  },
  "urllib3": {
    "version": "1.26.9"
  },
  "using_charset_normalizer": true,
  "using_pyopenssl": false
}

ValdikSS avatar May 21 '22 17:05 ValdikSS

This is a Python's urllib bug, which is triggered by newer urllib3 version, thus affecting requests.

https://bugs.python.org/issue42627 https://github.com/python/cpython/issues/86793 https://github.com/python/cpython/commit/9743524fc14db39e2f309cf3d372c7e8e18fc93a

This bug has existed for a very long time (since Python 2.0.1 if not earlier), but it was exposed recently when urllib3 added support for HTTPS-in-HTTPS proxies in version 1.26. Before that, an https prefix on the HTTPS proxy url was silently treated as http, accidentally resulting in the correct behavior.

Fixed in Python 3.10.5, all the previous versions are still affected.

ValdikSS avatar Jun 11 '22 15:06 ValdikSS

https://github.com/urllib3/urllib3/issues/2164

ValdikSS avatar Jun 11 '22 15:06 ValdikSS