-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Remove support for common names in certificates #497
Comments
Probably also of interest: https://bugzil.la/1088998 |
I'm in a very remove-things mood, +1. |
We should try to collect some numbers on how common this is before we move too quickly IMO, but I like the idea obviously! |
I suspect @Lukasa will be more conservative, but yeah, it'd be nice have some numbers about this. |
These numbers you speak of, where do we acquire them? |
We might be able to ask the Chromium folks for theirs, we could survey the On Fri Oct 31 2014 at 7:04:18 PM Andrey Petrov notifications@github.com
|
Deprecation Warning for the next release and see how many people report it as a bug? |
I like the DeprecationWarning, let's do that. I assume Chromium's threshold for deprecating is much more conservative than ours, so if they're doing it... On the other hand, our demographics are fairly different. |
Note that false SSL certificate warnings may be seen if using Python 2.7.2 or older. This is because in older Python versions the To eliminate the warnings you have two choices. The first is to surround the API call to
The alternative is to disable
Note that if you are using the
The summary of this related problem has been copied over from #523 given that the warning generated refers to this ticket. For more information see #523. |
@GrahamDumpleton perhaps it would make sense to change the warning text on 2.7.2, I think that should definitely still emit a warning though -- it's increasingly not practical to do TLS on the web without SANs, you can't even access pypi without them AFAIK /cc @dstufft |
Definitely open to having different warning text for the affected versions. @GrahamDumpleton, what do you think? Proposals for such text/PRs are welcome. |
You cannot access PyPI without SAN support that is correct, or most of the sites on Python's TLS. |
@GrahamDumpleton better solution is to use Python's logging module and then redirect the information to the log:
Works without having to do anything specific to urllib3 or Python Requests; and keeps the messages off the console so the user doesn't get annoyed by things that are out-of-their-control. |
@BenjamenMeyer Having it fill the logs is no better for us. We use |
@GrahamDumpleton another good resolution too. I wasn't so much as referring to modifying requests/urllib3 as having to call: requests.packages.urllib3.disable_warnings() or urllib3.disable_warnings() Code specific to either library and probably removes more warnings than desired. |
@BenjamenMeyer Note that disable_warnings accepts a category that allows you to filter by whatever you wish. https://github.com/shazow/urllib3/blob/master/urllib3/__init__.py#L62 |
@shazow And I would have to have intricate knowledge of urllib3 to figure out what was the right filter to apply. Even so, it's better to capture it in the logger which can also be filtered as desired at the application level. Of course, I come from a school of thought of toss everything in the log and then filter it all together. I'd rather having a single setting for that than a dozen; and certainly not on a per-API level when an application may use multiple APIs to provide its functionalities. |
I am getting this warning. I would love to have a recipe to create X.509 certificates with OpenSSL usable without "requests" warnings. I the meantime I just downgraded to "requests" 2.4.3 :-(. |
A quick search leads to a StackOverflow answer and other apparently similar resources. It isn't the role of requests or urllib3 to educate people on how to generate X.509 certificates. |
Clears warning: tests/test_build_linkcheck.py::test_connect_to_selfsigned_with_tls_cacerts tests/test_build_linkcheck.py::test_connect_to_selfsigned_with_requests_env_var …/venv/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for localhost has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) warnings.warn(
Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
Code Changes
Documentation
|
Closing since #2113 was merged. urllib3 2.0 won't support common names at all. |
If you need to generate new certificates compatible with urllib3 2.0 (that is, with subject alternative names), I would recommend using trustme: https://github.com/python-trio/trustme. This is what urllib3 uses internally. |
We should follow the lead of Chromium. We should deprecate support for use of common names when a certificate doesn't provide a subjectAltName.
This will bring us into compliance with the >10 year old RFC 2818
The text was updated successfully, but these errors were encountered: