Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support urllib3 1.26.x and 2.x #121

Merged
merged 2 commits into from Oct 18, 2023
Merged

Support urllib3 1.26.x and 2.x #121

merged 2 commits into from Oct 18, 2023

Conversation

pquentin
Copy link
Member

This changes the assert_fingerprint hack to more directly tell urllib3 that we'll assert the fingerprint ourselves to add support for pinning root certificates, not only the leaves.

See #105 for more context.

@sethmlarson @pquentin
Support urllib3 1.26.x and 2.x
f68f2ae 
This changes the assert_fingerprint hack to more directly tell urllib3
that we'll assert the fingerprint ourselves to add support for pinning
root certificates, not only the leaves.
@pquentin pquentin changed the base branch from urllib3-2.0 to main September 27, 2023 09:47
@pquentin pquentin force-pushed the urllib3-2.0 branch 2 times, most recently from a194934 to 4845194 Compare September 27, 2023 12:33
This was referenced Oct 11, 2023
Closed
Closed
@ezimuel ezimuel self-assigned this Oct 18, 2023
@ezimuel ezimuel self-requested a review October 18, 2023 07:33
ezimuel
ezimuel approved these changes Oct 18, 2023
View reviewed changes
Copy link

@ezimuel ezimuel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ezimuel ezimuel merged commit 3ac11af into elastic:main Oct 18, 2023
10 checks passed
@ezimuel ezimuel mentioned this pull request Oct 18, 2023
Closed
@pquentin
Copy link
Member Author

To make sure this could be released, I tested this quite extensively.

I initially tried with Elasticsearch in Docker Compose, but I noticed that Elasticsearch would only present the server certificate, and not the full chain including the generated root CA. It is allowed to do so (https://stackoverflow.com/questions/34945244/should-the-trusted-root-ca-be-a-part-of-the-certificate-chain) but my understanding is that this prevents asserting a fingerprint of the root CA in elastic-transport-python because we look at the certificates we get, not by which certificate they are signed.

Then I used Elastic Cloud with two different servers (one in Belgium and the other in Paris) and checked that it presented the whole chain (server, R3 and ISRG Root X1). I was then able to test that I could assert fingerprint for R3 and ISRG Root X1 for bother servers and for urllib3 1.26.x and 2.0.x using the following code:

import base64

from elastic_transport import NodeConfig, Transport

transport = Transport(
    [
        NodeConfig(
            "https",
            "$NAME.es.europe-west9.gcp.elastic-cloud.com",
            443,
            ssl_assert_fingerprint="$FINGERPRINT",
        )
    ]
)
print(
    transport.perform_request(
        "GET",
        "/",
        headers={
            "Content-Type": "application/json",
            "Authorization": "Basic "
            + base64.b64encode(b"elastic:password").decode(),
        },
    ).body
)

This can now be relased. 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ezimuel ezimuel ezimuel approved these changes

Assignees

@ezimuel ezimuel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pquentin @ezimuel @sethmlarson