Revert "Add TLS settings for HTTP/2 (#3456)" (#3466)

pquentin · web-flow · commit 1e94feb2a671 · 2024-09-03T13:10:49.000+04:00
This reverts commit d480615. Unfortunately, we realized after working on them that we can't really use those new settings. curl also does not implement them.
diff --git a/changelog/3456.feature.rst b/changelog/3456.feature.rst
diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
@@ -17,11 +17,6 @@
 HAS_NEVER_CHECK_COMMON_NAME = False
 IS_PYOPENSSL = False
 ALPN_PROTOCOLS = ["http/1.1"]
-OP_NO_COMPRESSION = 0
-OP_NO_RENEGOTIATION = 0
-OP_NO_TICKET = 0
-
-HTTP2_DEFAULT_CIPHERS = "@SECLEVEL=2:ECDHE+AESGCM:ECDHE+CHACHA20:!aDSS"
 
 _TYPE_VERSION_INFO = typing.Tuple[int, int, int, str, int]
 
@@ -104,23 +99,19 @@ class _TYPE_PEER_CERT_RET_DICT(TypedDict, total=False):
     from ssl import (  # type: ignore[assignment]
         CERT_REQUIRED,
         HAS_NEVER_CHECK_COMMON_NAME,
+        OP_NO_COMPRESSION,
+        OP_NO_TICKET,
         OPENSSL_VERSION,
         OPENSSL_VERSION_NUMBER,
+        PROTOCOL_TLS,
+        PROTOCOL_TLS_CLIENT,
+        OP_NO_SSLv2,
+        OP_NO_SSLv3,
         SSLContext,
         TLSVersion,
     )
 
-    from .ssltransport import SSLTransport  # type: ignore[assignment]
-
-    # Need to be careful here in case old TLS versions get
-    # removed in future 'ssl' module implementations.
-    for attr in ("TLSv1", "TLSv1_1", "TLSv1_2"):
-        try:
-            _SSL_VERSION_TO_TLS_VERSION[getattr(ssl, f"PROTOCOL_{attr}")] = getattr(
-                TLSVersion, attr
-            )
-        except AttributeError:  # Defensive:
-            continue
+    PROTOCOL_SSLv23 = PROTOCOL_TLS
 
     # Setting SSLContext.hostname_checks_common_name = False didn't work before CPython
     # 3.8.9, 3.9.3, and 3.10 (but OK on PyPy) or OpenSSL 1.1.1l+
@@ -133,22 +124,20 @@ class _TYPE_PEER_CERT_RET_DICT(TypedDict, total=False):
     ):
         HAS_NEVER_CHECK_COMMON_NAME = False
 
-    # NOTE: Flags are imported separately because they may raise ImportError
-    from ssl import (
-        OP_NO_COMPRESSION,
-        OP_NO_RENEGOTIATION,
-        OP_NO_TICKET,
-        PROTOCOL_TLS,
-        PROTOCOL_TLS_CLIENT,
-        OP_NO_SSLv2,
-        OP_NO_SSLv3,
-    )
+    # Need to be careful here in case old TLS versions get
+    # removed in future 'ssl' module implementations.
+    for attr in ("TLSv1", "TLSv1_1", "TLSv1_2"):
+        try:
+            _SSL_VERSION_TO_TLS_VERSION[getattr(ssl, f"PROTOCOL_{attr}")] = getattr(
+                TLSVersion, attr
+            )
+        except AttributeError:  # Defensive:
+            continue
 
-    PROTOCOL_SSLv23 = PROTOCOL_TLS
+    from .ssltransport import SSLTransport  # type: ignore[assignment]
 except ImportError:
-    OP_NO_COMPRESSION = 0x20000
-    OP_NO_TICKET = 0x4000
-    OP_NO_RENEGOTIATION = 0x40000000
+    OP_NO_COMPRESSION = 0x20000  # type: ignore[assignment]
+    OP_NO_TICKET = 0x4000  # type: ignore[assignment]
     OP_NO_SSLv2 = 0x1000000  # type: ignore[assignment]
     OP_NO_SSLv3 = 0x2000000  # type: ignore[assignment]
     PROTOCOL_SSLv23 = PROTOCOL_TLS = 2  # type: ignore[assignment]
@@ -238,7 +227,6 @@ def create_urllib3_context(
     ciphers: str | None = None,
     ssl_minimum_version: int | None = None,
     ssl_maximum_version: int | None = None,
-    http2: bool = False,
 ) -> ssl.SSLContext:
     """Creates and configures an :class:`ssl.SSLContext` instance for use with urllib3.
 
@@ -315,8 +303,6 @@ def create_urllib3_context(
     # the case of OpenSSL 1.1.1+ or use our own secure default ciphers.
     if ciphers:
         context.set_ciphers(ciphers)
-    elif http2:
-        context.set_ciphers(HTTP2_DEFAULT_CIPHERS)
 
     # Setting the default here, as we may have no ssl module on import
     cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
@@ -329,26 +315,21 @@ def create_urllib3_context(
         options |= OP_NO_SSLv3
         # Disable compression to prevent CRIME attacks for OpenSSL 1.0+
         # (issue #309)
-        # Also, HTTP2 (RFC 9113 9.2.1) requires compression to be disabled
         options |= OP_NO_COMPRESSION
         # TLSv1.2 only. Unless set explicitly, do not request tickets.
         # This may save some bandwidth on wire, and although the ticket is encrypted,
         # there is a risk associated with it being on wire,
         # if the server is not rotating its ticketing keys properly.
         options |= OP_NO_TICKET
-        if http2:
-            # HTTP2 (RFC 9113 9.2.1) requires renegotiation to be disabled
-            options |= OP_NO_RENEGOTIATION
 
     context.options |= options
 
     # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is
     # necessary for conditional client cert authentication with TLS 1.3.
     # The attribute is None for OpenSSL <= 1.1.0 or does not exist when using
     # an SSLContext created by pyOpenSSL.
-    # Disable for HTTP/2: RFC 9113 9.2.3 prohibits post_handshake_auth with HTTP2
     if getattr(context, "post_handshake_auth", None) is not None:
-        context.post_handshake_auth = not http2
+        context.post_handshake_auth = True
 
     # The order of the below lines setting verify_mode and check_hostname
     # matter due to safe-guards SSLContext has to prevent an SSLContext with
diff --git a/test/test_ssl.py b/test/test_ssl.py
@@ -225,71 +225,6 @@ def test_create_urllib3_context_ssl_version_and_ssl_min_max_version_no_error(
         ):
             ssl_.create_urllib3_context(**kwargs)
 
-    @pytest.mark.parametrize(
-        ["pha", "expected_pha", "cert_reqs"],
-        [
-            (None, None, None),
-            (None, None, ssl.CERT_NONE),
-            (None, None, ssl.CERT_OPTIONAL),
-            (None, None, ssl.CERT_REQUIRED),
-            (False, False, None),
-            (False, False, ssl.CERT_NONE),
-            (False, False, ssl.CERT_OPTIONAL),
-            (False, False, ssl.CERT_REQUIRED),
-            (True, False, None),
-            (True, False, ssl.CERT_NONE),
-            (True, False, ssl.CERT_OPTIONAL),
-            (True, False, ssl.CERT_REQUIRED),
-        ],
-    )
-    def test_create_urllib3_context_http2_no_pha(
-        self,
-        monkeypatch: pytest.MonkeyPatch,
-        pha: bool | None,
-        expected_pha: bool | None,
-        cert_reqs: int | None,
-    ) -> None:
-        context = mock.create_autospec(ssl_.SSLContext)
-        context.set_ciphers = mock.Mock()
-        context.options = 0
-        context.post_handshake_auth = pha
-        monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
-
-        assert ssl_.create_urllib3_context(cert_reqs=cert_reqs, http2=True) is context
-
-        assert context.post_handshake_auth == expected_pha
-
-    def test_create_urllib3_context_http2_default_ciphers(
-        self, monkeypatch: pytest.MonkeyPatch
-    ) -> None:
-        ciphers = ssl_.HTTP2_DEFAULT_CIPHERS
-        context = mock.create_autospec(ssl_.SSLContext)
-        context.set_ciphers = mock.Mock()
-        context.options = 0
-        monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
-
-        assert ssl_.create_urllib3_context(http2=True) is context
-
-        assert context.set_ciphers.call_count == 1
-        assert context.set_ciphers.call_args == mock.call(ciphers)
-
-    def test_create_urllib3_context_http2_options(
-        self, monkeypatch: pytest.MonkeyPatch
-    ) -> None:
-        context = mock.create_autospec(ssl_.SSLContext)
-        context.set_ciphers = mock.Mock()
-        context.options = 0
-        monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
-
-        assert ssl_.create_urllib3_context(http2=True) is context
-
-        assert context.options & ssl_.OP_NO_COMPRESSION != 0
-        assert context.options & ssl_.OP_NO_RENEGOTIATION != 0
-
-    def test_create_urllib3_context_http2_ssl_min_version(self) -> None:
-        context = ssl_.create_urllib3_context(http2=True)
-        assert context.minimum_version == ssl.TLSVersion.TLSv1_2
-
     def test_assert_fingerprint_raises_exception_on_none_cert(self) -> None:
         with pytest.raises(SSLError):
             ssl_.assert_fingerprint(
