Skip to content

Handle OpenSSL 3.2.0 new error message for unexpected unencrypted records #3268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ecerulm opened this issue Jan 8, 2024 · 4 comments · Fixed by #3271
Closed

Handle OpenSSL 3.2.0 new error message for unexpected unencrypted records #3268

ecerulm opened this issue Jan 8, 2024 · 4 comments · Fixed by #3271
Assignees
@ecerulm
Labels
💰 Bounty $100 If you complete this issue we'll pay you $100 on OpenCollective! Contributor Friendly ♥

Comments

@ecerulm
Copy link
Member

ecerulm commented Jan 8, 2024

Subject

I was expecting to all tests working on "main" branch but there are 3 failing test cases

  • TestProxyManager::test_https_proxymanager_connected_to_http_proxy[http]
  • TestProxyManager::test_https_proxymanager_connected_to_http_proxy[https]
  • TestSSL::test_ssl_failure_midway_through_conn
nox -s test-3.12 
...
FAILED test/with_dummyserver/test_socketlevel.py::TestProxyManager::test_https_proxymanager_connected_to_http_proxy[http] - assert 'Your proxy appears to only use HTTP and not HTTPS' in "('Unable to connect to proxy', SSLError(SSLError(1, '[SSL] record layer failure (_ssl.c:1000)')))"
FAILED test/with_dummyserver/test_socketlevel.py::TestProxyManager::test_https_proxymanager_connected_to_http_proxy[https] - assert 'Your proxy appears to only use HTTP and not HTTPS' in "('Unable to connect to proxy', SSLError(SSLError(1, '[SSL] record layer failure (_ssl.c:1000)')))"
FAILED test/with_dummyserver/test_socketlevel.py::TestSSL::test_ssl_failure_midway_through_conn - AssertionError: Regex pattern did not match.

Environment

OS macOS-14.2.1-x86_64-i386-64bit
Python 3.12.1
OpenSSL 3.2.0 23 Nov 2023
urllib3 2.1.0

Steps to Reproduce

nox -s test-3.12

Expected Behavior

The test should work, or they should be skipped, or if it's because they are not supported on macOS, then may it should be conditionally skipped.

Actual Behavior

3 test fails
@ecerulm
Copy link
Member Author

ecerulm commented Jan 8, 2024

Just to be clear if I skipped those test manually with -k then it will pass.

nox -R -s test-3.12 -- -k 'not (test_https_proxymanager_connected_to_http_proxy or test_ssl_failure_midway_through_conn)'

...
==================================================================== 1750 passed, 311 skipped, 4 deselected, 58 warnings in 320.33s (0:05:20) =====================================================================
nox > Session test-3.12 was successful.

@sethmlarson
Copy link
Member

@ecerulm Thanks for reporting this, it looks like OpenSSL 3.2.0 may have changed the error message that gets raised for these cases. I believe extending our regex to catch this case should be all that's needed.

@ecerulm
Copy link
Member Author

ecerulm commented Jan 8, 2024
edited
Loading

I've been testing more

For the 2 test cases below the issue seems to be timing

test/with_dummyserver/test_socketlevel.py::TestProxyManager::test_https_proxymanager_connected_to_http_proxy[http]
test/with_dummyserver/test_socketlevel.py::TestProxyManager::test_https_proxymanager_connected_to_http_proxy[https]

If at

urllib3/test/with_dummyserver/test_socketlevel.py

Line 1252 in 2ac4efa

self._start_server(http_socket_handler)
I add a wait statement then it works all the time.

        self._start_server(http_socket_handler)
        import time
        time.sleep(1)

it seems that the server is not ready that quick.

@ecerulm ecerulm mentioned this issue Jan 8, 2024
Closed
@sethmlarson sethmlarson changed the title test suite has failing tests cases: test_https_proxymanager_connected_to_http_proxy[http] Handle OpenSSL 3.2.0 new error message for unexpected unencrypted records Jan 8, 2024
@ecerulm ecerulm mentioned this issue Jan 8, 2024
Merged
@ecerulm
Copy link
Member Author

ecerulm commented Jan 9, 2024

@ecerulm Thanks for reporting this, it looks like OpenSSL 3.2.0 may have changed the error message that gets raised for these cases. I believe extending our regex to catch this case should be all that's needed.

I added PR #3271 to recognize the SSLError "record layer failure" and map it to "Your proxy appears to only use HTTP and not HTTPS..."

@sethmlarson sethmlarson added the 💰 Bounty $100 If you complete this issue we'll pay you $100 on OpenCollective! label Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ecerulm ecerulm

Labels
💰 Bounty $100 If you complete this issue we'll pay you $100 on OpenCollective! Contributor Friendly ♥
Projects
None yet
Milestone
No milestone
2 participants
@ecerulm @sethmlarson
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy