You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection
Moderate severity
GitHub Reviewed
Published
Mar 15, 2021
in
urllib3/urllib3
•
Updated Nov 18, 2024
Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via proxy_config.
Only the default SSLContext is impacted.
Impact
Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via
proxy_config.Only the default SSLContext is impacted.
Patches
urllib3 >=1.26.4 has the issue resolved. urllib3<1.26 is not impacted due to not supporting HTTPS requests via HTTPS proxies.
Workarounds
Upgrading is recommended as this is a minor release and not likely to break current usage.
Configuring an
SSLContextwithcheck_hostname=Trueand passing viaproxy_configinstead of relying on the defaultSSLContextFor more information
If you have any questions or comments about this advisory:
References