Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session adapter doesn't update https connections cert data #4325

Open
aleperno opened this issue Oct 4, 2017 · 4 comments
Open

Session adapter doesn't update https connections cert data #4325

aleperno opened this issue Oct 4, 2017 · 4 comments

Comments

@aleperno
Copy link

aleperno commented Oct 4, 2017
edited
Loading

Under a session, the first https request sets the HTTPSConnectionPool certs data.
If in a subsequent request, we change the certs data (eg: Set verify to True), the adaptor will update the ConnectionPool attributes, however each connection in the pool will still contain the old certs data, thus when requesting a connection from the pool, its info will differ from what we would expect.

Expected Result

The used connection should have updated certs data

Actual Result

The used connection have "old" certs data.

Reproduction Steps

These tests where performed against a server with a self-signed CA.

In [1]: from requests import Session

In [2]: url = "https://somepage"

In [3]: auth = ("admin", "admin123")

In [4]: s = Session()

In [5]: s.get(url, auth=auth, verify=False)

Out[5]: <Response [200]>

# This should fail, but doesnt
In [6]: s.get(url, auth=auth, verify=True)

Out[6]: <Response [200]>

# Create a new session
In [7]: Session().get(url, auth=auth, verify=True)
# Raises certificate verify failed

I'm aware ConnectionPool is in urllib realm, but since it's the adaptor who is updating the pool data, perhaps it should also handle this scenario?

System Information

{
"chardet": {
"version": "3.0.4"
},
"cryptography": {
"version": "1.7.2"
},
"idna": {
"version": "2.6"
},
"implementation": {
"name": "CPython",
"version": "2.7.12"
},
"platform": {
"release": "4.4.0-59-generic",
"system": "Linux"
},
"pyOpenSSL": {
"openssl_version": "1000207f",
"version": "16.0.0"
},
"requests": {
"version": "2.18.4"
},
"system_ssl": {
"version": "1000207f"
},
"urllib3": {
"version": "1.22"
},
"using_pyopenssl": true
}
@Lukasa
Copy link
Member

Lukasa commented Oct 4, 2017

Yeah. Requests is using some old APIs in urllib3 that don’t interact with the connection pooling. It should update to pass the TLS data into the pool manager to ensure that the TLS info factors in.

@aleperno
Copy link
Author

aleperno commented Oct 4, 2017

@Lukasa thanks for your prompt reply

elshadaghazade added a commit to elshadaghazade/requests that referenced this issue Oct 30, 2017
@elshadaghazade
fix for "Session adapter doesnt update https connections cert data ps…
2c71a63 
…f#4325"
@foslock
Copy link

foslock commented Nov 28, 2017

This is also true of the certificate/key paths provided in the cert keyword argument. It seems that the certfile and keyfile attributes are maintained on the connection and not reset if a new cert kwarg is given on a subsequent request on the session.

@lifehackjim
Copy link

Still observing this in 2.21.0, but you can issue session.close() to clear out the poolmanager, which will allow new requests with different verify values to be paid attention to.

This was referenced Oct 1, 2019
Open
Open
sohoffice pushed a commit to sohoffice/tavern that referenced this issue Jun 17, 2022
requests cannot properly handle TLS change with the connection pool. …
271118e 
…session.close() is suggested as a workaround.

psf/requests#4325
@Ousret Ousret mentioned this issue Sep 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@foslock @Lukasa @aleperno @lifehackjim