forcediphttpsadapter icon indicating copy to clipboard operation
forcediphttpsadapter copied to clipboard

Published 20 hours ago verified publisher icon Roadmaster

if verify=False needed?

Open sandroden opened this issue 6 years ago • 4 comments

Hi,

I have not been able to use this adapter, maybe I just misunderstood the goal, maybe I misused it... I wanted to use it to test a configuration before the dns is property set in the situation I have proper certificate in place: the same test I would obtain cheating with resolution in /etc/hosts. In this frame I need that verification of th ssl chain is done! that's part of what I want to test.

In your example, you explicitly set it to False. Do I misunderstand what is this adapter intended to do or is impossible to achieve?

Moreover, in the example you write session.get('/some/path', ...) it seems to me that you need to put there an address, while the path, seems to refer to parsed_url.path

sandroden avatar Apr 08 '19 06:04 sandroden

Hi! The readme says

It does NO certificate verification (which would be pointless)

The reason is that certificate verification will NOT match the originating hostname (because it's a hacked IP).

As for session.get, you don't need an address there because you specified it in the previous line where you do session.mount. What you specify to session.get is a path relative to the address given to session.mount - this is no different from normal Requests usage.

Roadmaster avatar Apr 08 '19 14:04 Roadmaster

hi,

I did read the readme. What puzzles me is that if I change the resolution in /etc/hosts that's a way to get a hacked IP, but in that situation, I can have a correct ssl connection with validation and so on. So I personally don't understand what's different here. I know nothing of how SNI is implemented though. I'd say that no matter how you get the IP (from /etc/hosts or from --force-ip) the rest seems pretty much the same to me.

The idea that certification would be pointless is far from objective. Eg: I like to verify that a setup works before publishing it, that I thought was the use case at the base of this adapter.

As far as the last point, I had errors, and reading requests' documentation:

The mount call registers a specific instance of a Transport Adapter to a prefix. Once mounted, any HTTP request made using that session whose URL starts with the given prefix will use the given Transport Adapter.

so I interpreted as routing mecanism: when this route is used, this adapter is to be used.

sandroden avatar Apr 08 '19 15:04 sandroden

Hi,

In the situation for which I wrote this, I have no control over /etc/hosts, so that solution didn't work for me.

The point of this adapter is actually to skip errors due to mismatched hostname/certificate (I have other checks for certificate validity), this is why in this context I don't care about validating the certificate itself.

Roadmaster avatar Apr 08 '19 15:04 Roadmaster

BTW: in your example you use session.get(uri, ...) in that context uri is certainly not the path... in my opinion the example is correct, the documentation needs to be fixed

sandroden avatar Apr 08 '19 16:04 sandroden