sethmlarson/truststore

Empty or no certificate error

guerda opened this issue · 4 comments

Testing out requests and truststore with some corporate CA yields errors, depending on how the certificate is set up.

urllib3\connection.py:458: SubjectAltNameWarning: Certificate for xxx.intranet.cnb has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
  warnings.warn(
ERROR empty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIRED

Trying the same servers with urllib3 and truststore:

>>> import urllib3
>>> import truststore
>>> ctx = truststore.SSLContext()
<stdin>:1: DeprecationWarning: ssl.SSLContext() without protocol argument is deprecated.
<stdin>:1: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
>>> http = urllib3.PoolManager(ssl_context=ctx)
>>> resp = http.request('GET', 'https://xxx.intranet.cnb')
C:\Users\wdwni\.virtualenvs\sdr-api-example-WgBfLP6C\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'xxx.intranet.cnb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
>>> resp = http.request('GET', 'https://yyy.intranet.cnb')
C:\Users\wdwni\.virtualenvs\sdr-api-example-WgBfLP6C\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'yyy.intranet.cnb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
>>> truststore.__version__
'0.4.0'
>>> urllib3.__version__
'1.26.11'

Originally discovered in #71

@guerda Thanks. In the other issue, I got distracted by the warnings about the protocol argument (which can probably be resolved by doing ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) instead of ctx = truststore.SSLContext()) and missed the ones about subjectAltName and about certificate verification being disabled. We should take a closer look.

Seems that I was distracted by that too. The urllib3 example now works and did work yesterday too 😁
If I specify the PROTOCOL_TLS_CLIENT, it also works for requests.

I assume that the PROTOCOL_TLS_CLIENT is mandatory in some situations.

Created #73 to fix the documentation examples, and observed that there were no InsecureRequestWarnings. You're also not seeing any warnings now that you're using PROTOCOL_TLS_CLIENT? This would make sense as setting this value enables certificate verification as well.

Thanks for taking the time!
once I add the PROTOCOL_TLS_CLIENT, I get no warnings or errors anymore.