Merge pull request #2094 from redapple/dns-invalid-id

Catch and ignore certification verification exception for IP-address hosts
2025-02-23 11:03:54 +00:00 · 2016-07-13 10:48:08 +00:00 · 2016-07-13 10:48:08 +00:00 · 2dd1a9e3bc
commit 2dd1a9e3bc
parent 3b5915568b 005cf949b8
2 changed files with 23 additions and 3 deletions
--- a/scrapy/core/downloader/tls.py
+++ b/scrapy/core/downloader/tls.py
@ -34,9 +34,15 @@ try:
                                             VerificationError)

    class ScrapyClientTLSOptions(ClientTLSOptions):
-        # same as Twisted's ClientTLSOptions,
-        # except that VerificationError is caught
-        # and doesn't close the connection
+        """
+        SSL Client connection creator ignoring certificate verification errors
+        (for genuinely invalid certificates or bugs in verification code).
+
+        Same as Twisted's private _sslverify.ClientTLSOptions,
+        except that VerificationError and ValueError exceptions are caught,
+        so that the connection is not closed, only logging warnings.
+        """
+
        def _identityVerifyingInfoCallback(self, connection, where, ret):
            if where & SSL_CB_HANDSHAKE_START:
                _maybeSetHostNameIndication(connection, self._hostnameBytes)
@ -48,6 +54,12 @@ try:
                        'Remote certificate is not valid for hostname "{}"; {}'.format(
                            self._hostnameASCII, e))

+                except ValueError as e:
+                    logger.warning(
+                        'Ignoring error while verifying certificate '
+                        'from host "{}" (exception: {})'.format(
+                            self._hostnameASCII, repr(e)))
+
 except ImportError:
    # ImportError should not matter for older Twisted versions
    # as the above is not used in the fallback ScrapyClientContextFactory
--- a/tests/test_downloader_handlers.py
+++ b/tests/test_downloader_handlers.py
@ -356,6 +356,14 @@ class Https11WrongHostnameTestCase(Http11TestCase):
    certfile = 'keys/example-com.cert.pem'


+class Https11InvalidDNSId(Https11TestCase):
+    """Connect to HTTPS hosts with IP while certificate uses domain names IDs."""
+
+    def setUp(self):
+        super(Https11InvalidDNSId, self).setUp()
+        self.host = '127.0.0.1'
+
+
 class Http11MockServerTestCase(unittest.TestCase):
    """HTTP 1.1 test case with MockServer"""
    if twisted_version < (11, 1, 0):