Looking for an option to use TOFU (trust on first use) for TLS

[decoupca]

I use httpx to interact with lots of appliances over TLS that I either have no control over, or have no options for configuring TLS. Rather than fully disabling verification, it would be nice to emulate SSH's trust on first use model:

1. Cache the cert on first use
2. Require that cert on subsequent connections
3. Raise a validation error if a different cert is presented

The solution would provide a way to update the cache in the event of a valid cert update. I've looked around but can't find anything like this. Have I missed this somewhere? If not, does httpx provide a mechanism by which I could implement this, perhaps with a custom SSL context passed to verify?

[lovelydinosaur]

perhaps with a custom SSL context passed to verify?

You can pass a custom SSL context to the verify parameter, yes. 😊

You might also want to look at the "trace" extension, in particular the "connection.start_tls.started" and "connection.start_tls.completed" events.

There's also an example in the httpcore docs showing how to pull the "ssl_info" from a network connection.

Hopefully there's enough there to get you started, et us know how you get on!

See also ticket #2599 for us documenting request and response extensions in the httpx docs.

[decoupca]

Thanks for the input! Will play around & see what comes of it.

[lovelydinosaur]

Great, will be interesting to see where you get to with this.

You might also find this issue helpful... encode/httpcore#695

[decoupca]

Tinkered with this yesterday. The closest I got was dumping the self-signed certs, then passing that into the SSL context:

import ssl
import httpx

CERT_PATH: str = "./input/certs"

def save_cert(host: str, port: int = 443, filename: str = None) -> None:
    if filename is None:
        filename = f"{CERT_PATH}/{host}.pem"
    cert = ssl.get_server_certificate((host, port))
    with open(filename, "w") as f:
        f.write(cert)

if __name__ == '__main__':
    # Step 1
    hosts = ['host1.example.net', 'host2.example.net', 'host3.example.net']
    for host in hosts:
        save_cert(host)

    # Step 2
    context = ssl.create_default_context()
    context.load_verify_locations(cafile=f'{CERT_PATH}/host1.example.net.pem')
    context.check_hostname = False
    httpx.get('https://host1.example.net/', verify=context) # <Response [200 OK]>

This all works, but it's clunky. Probably the biggest headache is that I need to specify the cert for each host (I can't pass capath=CERT_PATH, failed). That means I need to build a context and client for each request. Perhaps someone cleverer than I can come up with a more elegant solution :)