>>> print("OS", platform.platform())
OS Linux-3.10.0-1160.15.2.el7.x86_64-x86_64-with-glibc2.17
>>> print("Python", platform.python_version())
Python 3.9.0
>>> print("urllib3", urllib3.__version__)
urllib3 1.26.4
>>>
import urllib3
proxy = urllib3.ProxyManager('http://someproxy-server.com:8080')
# this works
proxy.request('GET', 'https://github.com')
# this fails
proxy.request('GET', 'https://github.com.')
The trailing dot for domain when connecting via proxy should be stripped just as it is in a direct connection as fixed in #1255.
>>> import urllib3 >>> proxy = urllib3.ProxyManager('http://someproxy-server.com:8080')
>>> proxy.request('GET', 'https://github.com')
<urllib3.response.HTTPResponse object at 0x7fce2ad964c0>
>>> proxy.request('GET', 'https://github.com.')
Traceback (most recent call last):
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 696, in urlopen
self._prepare_proxy(conn)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 964, in _prepare_proxy
conn.connect()
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connection.py", line 464, in connect
_match_hostname(cert, self.assert_hostname or server_hostname)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connection.py", line 512, in _match_hostname
match_hostname(cert, asserted_hostname)
File "/usr/local/lib/python3.9/ssl.py", line 416, in match_hostname
raise CertificateError("hostname %r "
ssl.SSLCertVerificationError: ("hostname 'github.com.' doesn't match either of 'github.com', 'www.github.com'",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/request.py", line 74, in request
return self.request_encode_url(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/request.py", line 96, in request_encode_url
return self.urlopen(method, url, **extra_kw)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/poolmanager.py", line 532, in urlopen
return super(ProxyManager, self).urlopen(method, url, redirect=redirect, **kw)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/poolmanager.py", line 375, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
return self.urlopen(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
return self.urlopen(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 783, in urlopen
return self.urlopen(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/home/mike/bugtest/lib/python3.9/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='github.com.', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError("hostname 'github.com.' doesn't match either of 'github.com', 'www.github.com'")))
>>>
Subject
Same issue as #1254 / #1255 only when using a proxy.
Environment
Steps to Reproduce
Substitute "someproxy-server.com:8080" with a real proxy server to test this.
Just like #1254 the connection works with github.com but fails with github.com. (trailing dot).
Expected Behavior
The trailing dot for domain when connecting via proxy should be stripped just as it is in a direct connection as fixed in #1255.
Since
_match_hostname()is usingserver_hostnamewhich, in the case of proxy connections, comes from self._tunnel_host instead of self.host, it seems that a.rstrip(".")should either be added whenself._tunnel_hostis referenced here or when it is constructed from self._proxy_host here or when self,_proxy_host is defined and mutated here. The first option seems the safest, but the last option may be most correct.Actual Behavior