raven-python icon indicating copy to clipboard operation
raven-python copied to clipboard

Published 20 hours ago verified publisher icon getsentry

SNI support

Open raphaelm opened this issue 10 years ago • 12 comments

In my setup the HTTP transport always failed because of an untrusted certificate. The certificate, however, was trusted, but the server sent the wrong certificate as raven's very own SSL wrapper apparently does not support TLS Server Name Indication. My guess is that this could be fixed by adding a server_hostname attribute with useful content to the ssl.wrap_socket call in raven.utils.http.urlopen.ValidHTTPSConnection.

raphaelm avatar Nov 10 '14 21:11 raphaelm

Does this work with the request transport ?

xordoquy avatar Nov 11 '14 09:11 xordoquy

It does work with the requests transport, but then you lose the asynchronous thread feature.

gavinwahl avatar Dec 02 '14 00:12 gavinwahl

I would like to see:

  1. How much work it is to support SNI / http proxy by ourselves
  2. How much work it is to vendor requests
  3. How much work it is to vendor urllib3 (which afaik provides all of the functionality that we want out of requests)

On Monday, December 1, 2014 at 4:48 PM, Gavin Wahl wrote:

It does work with the requests transport, but then you lose the asynchronous thread feature.

— Reply to this email directly or view it on GitHub (https://github.com/getsentry/raven-python/issues/523#issuecomment-65165969).

dcramer avatar Dec 02 '14 00:12 dcramer

TBH, I'd go with vendoring requests. I don't have time to investigate on urllib3 or DYI SNI / proxy support in particular with how hard supporting some proxy is with the stdlibs

xordoquy avatar Feb 11 '15 18:02 xordoquy

+1 for this

fengsi avatar Aug 11 '16 02:08 fengsi

+1 for this

pypetey avatar Oct 30 '16 19:10 pypetey

+1

serathius avatar Dec 07 '16 19:12 serathius

I thought this was kind of nightmare, having to write code for 10+ apps after switching to LetsEncrypt on the server; but then I noticed there is a pretty easy way to change the transport via the url. Just use threaded+requests+https as a url scheme!

miracle2k avatar Jan 08 '17 21:01 miracle2k

This fixed the problem for me. Should I submit a PR?

gartens avatar Jul 13 '18 15:07 gartens

@gartens Something went wrong on your tests (see flake8 core tests)

fzarifian avatar Sep 22 '18 16:09 fzarifian

Also to add, if you can change your sentry server nginx settings, use something like

server {
    listen   443 ssl default;
    ....
}

to force nginx route the non-SNI default website to sentry.

est avatar Jan 28 '19 09:01 est

Thanks @est, this saved me from changing stuff in ~100 projects.

Somehow somewhere last week the sentry logging started throwing urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)> Seems to be related to this issue, can't find any changes in our system so far.

jgadelange avatar Jan 19 '21 07:01 jgadelange