🐛 Fixed an issue where specifying cert_reqs=ssl.CERT_NONE or `asser…

…t_hostname` was ignored when using HTTP/3 over QUIC (#48) Close jawah/niquests#52
jawah · Dec 8, 2023 · c60a21d · c60a21d
1 parent 2cbc25b
commit c60a21d
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,3 +1,8 @@
+2.3.902 (2023-12-08)
+====================
+
+- Fixed an issue where specifying `cert_reqs=ssl.CERT_NONE` or `assert_hostname` was ignored when using HTTP/3 over QUIC.
+
 2.3.901 (2023-11-26)
 ====================
 

diff --git a/src/urllib3/_version.py b/src/urllib3/_version.py
@@ -1,4 +1,4 @@
 # This file is protected via CODEOWNERS
 from __future__ import annotations
 
-__version__ = "2.3.901"
+__version__ = "2.3.902"
diff --git a/src/urllib3/backend/hface.py b/src/urllib3/backend/hface.py
@@ -40,7 +40,7 @@
     ResponseNotReady,
     SSLError,
 )
-from ..util import parse_alt_svc
+from ..util import parse_alt_svc, resolve_cert_reqs
 from ._base import (
     BaseBackend,
     ConnectionInfo,
@@ -187,20 +187,29 @@ def _custom_tls(
         key_password: str | bytes | None = None,
         cert_fingerprint: str | None = None,
         assert_hostname: None | str | typing.Literal[False] = None,
+        cert_reqs: int | str | None = None,
     ) -> None:
         """Meant to support TLS over QUIC meanwhile cpython does not ship with its native implementation."""
         if self._svn != HttpVersion.h3:
             raise NotImplementedError
 
         cert_use_common_name = False
 
+        allow_insecure: bool = False
+
         if ssl_context:
             cert_use_common_name = (
                 getattr(ssl_context, "hostname_checks_common_name", False) or False
             )
 
+            if ssl_context.verify_mode == ssl.CERT_NONE:
+                allow_insecure = True
+
+        if not allow_insecure and resolve_cert_reqs(cert_reqs) == ssl.CERT_NONE:
+            allow_insecure = True
+
         self.__custom_tls_settings = QuicTLSConfig(
-            insecure=ssl_context.verify_mode == ssl.CERT_NONE if ssl_context else False,
+            insecure=allow_insecure,
             cafile=ca_certs,
             capath=ca_cert_dir,
             cadata=ca_cert_data.encode()

diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
@@ -642,6 +642,8 @@ def connect(self) -> None:
                 self.key_file or self.key_data,
                 self.key_password,
                 self.assert_fingerprint,
+                self.assert_hostname,
+                self.cert_reqs,
             )
         except NotImplementedError:
             server_hostname: str = self.host