Fix SSL certificate verification failure for hostnames with trailing dots (#1063)#1067
Open
r266-tech wants to merge 1 commit intoencode:masterfrom
Open
Fix SSL certificate verification failure for hostnames with trailing dots (#1063)#1067r266-tech wants to merge 1 commit intoencode:masterfrom
r266-tech wants to merge 1 commit intoencode:masterfrom
Conversation
…dots Python's ssl module does not handle trailing dots in server_hostname, causing CERTIFICATE_VERIFY_FAILED errors for fully qualified domain names (FQDNs) like 'example.com.'. This fix strips the trailing dot from server_hostname at the connection level before passing it to SSL backends, following the same approach used by urllib3. The underlying DNS resolution still uses the original hostname with the trailing dot. Fixes encode#1063
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When using httpx/httpcore with FQDNs that have trailing dots (e.g.,
myhost.mycompany.internal.), SSL certificate verification fails with:This is a known issue — Python's
sslmodule doesn't handle trailing dots inserver_hostname. The Python SSL team has acknowledged this as an application-layer issue: https://bugs.python.org/issue31997Solution
Strip the trailing dot from
server_hostnamebefore passing it to SSL backends. This follows the same approach used by urllib3.The fix is applied at the connection level (where
server_hostnameis constructed) rather than in each backend, keeping the change minimal and centralized across 6 files:httpcore/_async/connection.pyhttpcore/_sync/connection.pyhttpcore/_async/http_proxy.pyhttpcore/_sync/http_proxy.pyhttpcore/_async/socks_proxy.pyhttpcore/_sync/socks_proxy.pyDNS resolution still uses the original hostname with the trailing dot — only the SSL SNI is normalized.
Fixes #1063