requests icon indicating copy to clipboard operation
requests copied to clipboard

Published 20 hours ago verified publisher icon psf

Transport adapters not honored with proxy

Open patatetom opened this issue 1 year ago • 0 comments

hi,

making a poor socks server at localhost on port 8001 with ssh/sshd running at localhost :

@term1$ ssh -N -D localhost:8001 localhost

making a self-signed certificate for testing and debuging negociations on server side with s_server@openssl :

@term2$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes 
        while :
        do
            echo -e "HTTP/1.0 200 OK\nContent-Length: 0\n\n" |
            openssl s_server -4 -cert cert.pem -key key.pem -accept 4433 -msg
        done

getting requests informations :

@term3$ python -m requests.help
{
  "chardet": {
    "version": "3.0.4"
  },
  "charset_normalizer": {
    "version": "2.1.0"
  },
  "cryptography": {
    "version": "2.8"
  },
  "idna": {
    "version": "2.8"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.8.10"
  },
  "platform": {
    "release": "5.10.0-1057-oem",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "1010106f",
    "version": "19.0.0"
  },
  "requests": {
    "version": "2.28.1"
  },
  "system_ssl": {
    "version": "1010106f"
  },
  "urllib3": {
    "version": "1.25.8"
  },
  "using_charset_normalizer": false,
  "using_pyopenssl": true
}

running requests simply :

@term3$ python <<~~~
import requests
url = "https://localhost:4433/"
session = requests.Session()
response = session.head(url=url, verify=False)
~~~

TLS1.3 by default :

@term2$ ...
        <<< TLS 1.3, Handshake [length 0034], Finished
        ...
        >>> TLS 1.3, Handshake [length 00e9], NewSessionTicket
        ...

running requests with transport adapter only :

@term3$ python <<~~~
import ssl
import requests
from requests.adapters import HTTPAdapter
from urllib3.poolmanager import PoolManager
class TestHTTPAdapter(HTTPAdapter):
    def init_poolmanager(self, connections, maxsize, block=False):
        self.poolmanager = PoolManager(
            num_pools=connections,
            maxsize=maxsize,
            block=block,
            ssl_version=ssl.PROTOCOL_TLSv1_2
        )
url = "https://localhost:4433/"
session = requests.Session()
session.mount(url, TestHTTPAdapter())
response = session.head(url=url, verify=False)
~~~

TLS1.2 is OK :slightly_smiling_face: :

@term2$ ...
        >>> TLS 1.2, Handshake [length 0010], Finished
        ...

running requests with transport adapter and socks proxy :

@term3$ python <<~~~
import ssl
import requests
from requests.adapters import HTTPAdapter
from urllib3.poolmanager import PoolManager
class TestHTTPAdapter(HTTPAdapter):
    def init_poolmanager(self, connections, maxsize, block=False):
        self.poolmanager = PoolManager(
            num_pools=connections,
            maxsize=maxsize,
            block=block,
            ssl_version=ssl.PROTOCOL_TLSv1_2
        )
url = "https://localhost:4433/"
session = requests.Session()
session.mount(url, TestHTTPAdapter())
proxies={"https":"socks5://localhost:8001"}
response = session.head(url=url, proxies=proxies, verify=False)
~~~

TLS1.2 is KO :slightly_frowning_face: :

@term2$ ...
        <<< TLS 1.3, Handshake [length 0034], Finished
        ...
        >>> TLS 1.3, Handshake [length 00e9], NewSessionTicket
        ...

requests has the same behavior whether pyopenssl is present/used or not. HTTP/HTTPS proxies not tested : sorry.

regards, lacsaP.

note that httpie works as expected :

@term4$ https --verify no https://localhost:4433
HTTP/1.0 200 OK
Content-Length: 0

@term2$ ...
        <<< TLS 1.3, Handshake [length 0034], Finished
        ...
        >>> TLS 1.3, Handshake [length 00e9], NewSessionTicket
        ...

@term4$ https --ssl tls1.2 --verify no https://localhost:4433
HTTP/1.0 200 OK
Content-Length: 0

@term2$ ...
        >>> TLS 1.2, Handshake [length 0010], Finished
        ...

@term4$ https --ssl tls1.2 --verify no --proxy https:socks5://localhost:8001 https://localhost:4433
HTTP/1.0 200 OK
Content-Length: 0

@term2$ ...
        >>> TLS 1.2, Handshake [length 0010], Finished
        ...

as well as urllib3 :

@term5$ python <<~~~
import urllib3
https = urllib3.PoolManager(cert_reqs='CERT_NONE')
r = https.request('GET', 'https://localhost:4433')
~~~

@term2$ ...
        <<< TLS 1.3, Handshake [length 0034], Finished
        ...
        >>> TLS 1.3, Handshake [length 00e9], NewSessionTicket
        ...

@term5$ python <<~~~
import ssl, urllib3
https = urllib3.PoolManager(cert_reqs='CERT_NONE', ssl_version=ssl.PROTOCOL_TLSv1_2)
r = https.request('GET', 'https://localhost:4433')
~~~

@term2$ ...
        >>> TLS 1.2, Handshake [length 0010], Finished
        ...

@term5$ python <<~~~
import ssl
from urllib3.contrib.socks import SOCKSProxyManager
socks = SOCKSProxyManager('socks5h://localhost:8001/', cert_reqs='CERT_NONE', ssl_version=ssl.PROTOCOL_TLSv1_2)
r = socks.request('GET', 'https://localhost:4433')
~~~

@term2$ ...
        >>> TLS 1.2, Handshake [length 0010], Finished
        ...

patatetom avatar Jul 27 '22 22:07 patatetom