Setup the SSL COntext correctly for https proxies

pulp · Aug 4, 2022 · 477ba8a · 477ba8a
1 parent 2d68f26
commit 477ba8a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/CHANGES/3036.bugfix b/CHANGES/3036.bugfix
@@ -0,0 +1 @@
+Fixed setting up of default ssl context if the proxy is https
diff --git a/pulpcore/download/factory.py b/pulpcore/download/factory.py
@@ -107,6 +107,9 @@ def _make_aiohttp_session_from_remote(self):
         sslcontext = None
         if self._remote.ca_cert:
             sslcontext = ssl.create_default_context(cadata=self._remote.ca_cert)
+        elif self._is_remote_proxy_secure():
+            sslcontext = ssl.create_default_context()
+
         if self._remote.client_key and self._remote.client_cert:
             if not sslcontext:
                 sslcontext = ssl.create_default_context()
@@ -123,6 +126,7 @@ def _make_aiohttp_session_from_remote(self):
             sslcontext.check_hostname = False
             sslcontext.verify_mode = ssl.CERT_NONE
         if sslcontext:
+            sslcontext.load_default_certs()
             tcp_conn_opts["ssl_context"] = sslcontext
 
         headers = MultiDict({"User-Agent": DownloaderFactory.user_agent()})
@@ -194,6 +198,8 @@ class to be instantiated.
         """
         options = {"session": self._session}
         if self._remote.proxy_url:
+            if self._is_remote_proxy_secure():
+                setattr(asyncio.sslproto._SSLProtocolTransport, "_start_tls_compatible", True)
             options["proxy"] = self._remote.proxy_url
             if self._remote.proxy_username and self._remote.proxy_password:
                 options["proxy_auth"] = aiohttp.BasicAuth(
@@ -225,3 +231,6 @@ class to be instantiated.
             is configured with the remote settings.
         """
         return download_class(url, **kwargs)
+
+    def _is_remote_proxy_secure(self):
+        return self._remote.proxy_url and urlparse(self._remote.proxy_url).scheme == "https"