Comments (3)
sigmavirus24
commented on June 15, 2024
1
Curl may look up and retrieve the intermediates which is what browsers do but openssl does not do this and Python is using openssl so it does not do it. Furthermore, it is widely frowned upon as a bad practice even if browsers have no good way of undoing the harm they have done. Please file a bug with your gitlab instance managers to do the right thing here. They should be returning the full chain
from urllib3.
sigmavirus24
commented on June 15, 2024
This sounds like your internal GitLab instance is mis-configured and/or the certificate chain you've been provided are not complete. Without knowing how your company is managing its internal PKI system, let me give you some details:
There is typically a Root of the chain of trust. This, if your company is following CA/B forum standards can be valid for 20-25 years.
There is typically also at least one other chain between the Root and an issued certificate, i.e., the Issuer. This is typically valid for ~5-10 years.
The Issuer is what signs and provides the certificate for a service. The service (GitLab in your case) should be returning in the TLS Handshake:
- Its certificate
- The certificate for the Issuer
- The certificate for the Root
If it only provides its certificate, then urllib3 cannot verify that if the Issuer is not in your set of trusted certificates.
You can see what your server provides by using openssl s_client -connect gitlab.company.com:443 and seeing what Certs are returned. Likewise, cURL will show you certificate information with -vv (or maybe -vvv I can't remember which) and show you what it does for TLS verification. Also, please include your curl command when you say that it works since it's possible you're specifying a flag that in fact makes it work but does not verify TLS certificate chains of trust.
from urllib3.
nawordar
commented on June 15, 2024
I finally managed to resolve the issue. In fact, I didn't have the whole certificate chain installed in the container. The weirdest thing is that cURL worked. The output just shows this during certificate verification:
# curl -vvv https://gitlab.company.com
...
* Server certificate:
* subject: CN=*.company.com
* start date: Oct 25 13:07:21 2023 GMT
* expire date: Oct 24 13:07:20 2024 GMT
* subjectAltName: host "gitlab.company.com" matched cert's "*.company.com"
* issuer: C=PL; O=cyber_Folks S.A.; CN=cyber_Folks
* SSL certificate verify ok.
...
It looks like cURL doesn't verify the whole chain.
So you were right that the problem was not with urllib3, but I reported it as a bug, since cURL worked. Anyway, thank you for your help. I'm still learning about certificates.
from urllib3.
Related Issues (20)
- urllib3 2.2 explicitly casts all headers to HTTPHeaderDict HOT 4
- Streaming responses using urllib3 HOT 5
- verbose logging output
- Excess leading path separators causes ConnectionPool.urlopen to parse URL as host & port HOT 1
- ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response')) HOT 1
- SSL: UNEXPECTED_EOF_WHILE_READING HOT 7
- imprecise types on `urllib3.Retry.new` / `urllib3.Retry.increment` HOT 1
- Investigate CI failures with Python 3.13.0a5 HOT 2
- Unclosed socket warning after HTTP 407 response from HTTP CONNECT proxy HOT 1
- All Retry backoff_factor to optionally start applying from first retry HOT 4
- Retry backoff_factor offset from second retry incorrectly computed HOT 2
- HTTPConnection.request chunked=False doesn't work properly HOT 8
- Need to exception for "SSLEOFError" on python 3.10, 3.11, 3.12 HOT 3
- After upgrading to 2.2.1: 'HTTPResponse' object has no attribute 'json' HOT 1
- Comment typo settimout settimeout HOT 1
- Dependency management issue HOT 2
- Fix test_redirecting_to_bad_url failure in Requests HOT 12
- NodeJS + pyodide support HOT 1
- Retry.respect_retry_after_header=False is not honored when retry is incremented HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from urllib3.