-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add docs and tests for Requests support #67
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Interesting the Python 3.10 and macOS for Requests seems to be consistently failing on |
I'm busy this morning but will take a look later. Maybe the flags related to revocation checks are not getting set correctly when the certifi CA certs have been loaded. |
@sethmlarson I added code to explicitly configure macOS security policy to require revocation checks when verify_flags includes VERIFY_CRL_CHECK_CHAIN. I'm still not really sure why the behavior was different when testing with requests; it seems the presence of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sethmlarson approving so it's mergeable since you opened the PR, but I'd appreciate if you could take a look at the part I added first.
ctypes.byref(CoreFoundation.kCFTypeArrayCallBacks), | ||
) | ||
CoreFoundation.CFArrayAppendValue(policies, ssl_policy) | ||
revocation_policy = Security.SecPolicyCreateRevocation( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davisagli Do we need to CFRelease
the ssl_policy
and revocation_policy
objects below as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sethmlarson Yes, having reviewed docs about CoreFoundation memory management more closely, I think you're right.
@@ -38,6 +40,8 @@ class FailureHost: | |||
"Hostname mismatch, certificate is not valid for 'wrong.host.badssl.com'", | |||
# macOS | |||
"certificate name does not match", | |||
# macOS with revocation checks | |||
"certificates do not meet pinning requirements", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davisagli This is a strange message for the situation, makes me think of certificate pinning or macOS minimum requirements for certs. What's the full error message here if you have that handy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SSLCertVerificationError('"*.badssl.com","R3","ISRG Root X1" certificates do not meet pinning requirements')
Here is someone else configuring a revocation security policy similar to us, who noted that it's returning errSecIncompleteCertRevocationCheck
= -67635 indicating that a revocation check could not be completed (which makes more sense), but that CFErrorCopyDescription is returning the wrong error message for that error code: https://developer.apple.com/forums/thread/706629
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice find!! That looks like exactly what we're experiencing.
Closes #66