New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal v4.0 b1 (HTTP/2+3, OS Trust Store, Custom DNS, OCSP, ...) #1531
base: master
Are you sure you want to change the base?
Conversation
46f030c
to
16ccc1b
Compare
16ccc1b
to
741017e
Compare
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
faf9aef
to
c12f000
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #1531 +/- ##
==========================================
- Coverage 97.28% 0 -97.29%
==========================================
Files 67 0 -67
Lines 4235 0 -4235
==========================================
- Hits 4120 0 -4120
+ Misses 115 0 -115 ☔ View full report in Codecov by Sentry. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
52653e4
to
247b382
Compare
0b4eebb
to
7dd1152
Compare
So far, I identified this: |
We can add the following arguments and document them:
|
7dd1152
to
7257a74
Compare
I've added and documented it.
Ideally, the connection information (TLS, Cipher, Peer/Issuer Certificate, and OCSP) should be in the request metadata and with a lexer instruction. |
7257a74
to
4c246e4
Compare
4c246e4
to
f034379
Compare
Damn this looks so tantalizing. I'd love for this to get packaged as a tryout / beta. Something installable via e.g. |
f034379
to
df42bba
Compare
You cannot force HTTP/2 using Niquests. It is negotiated via ALPN/TLS. So if the server misinterpret ALPN or discard it, HTTP/2 won't come. And yes, RFC allows it, see https://datatracker.ietf.org/doc/html/rfc9113#name-starting-http-2-with-prior- but I decided to follow the simplest path forward (ALPN/TLS), as browsers do (https://stackoverflow.com/questions/34076231/why-do-browser-implementations-of-http-2-require-tls). I might reconsider it in the future, but the use cases are rare. |
I may be missing something here, but does that imply that the client has no way to force http1 2 or 3 according to its wishes? When setting up server support for these protocols, I would like to have the ability to force all of these protocols for debugging purposes? |
There's many possibilities, the only missing piece is "force http2" or "disable http1".
Hope that clarify. |
Just updated the docs to include previous comment about protocol combo and the availability of HTTP/3 or not. Finally, we had to downgrade macos-14 (macos-latest) to macos-13 because it's relatively new and some dependencies like brotlicffi aren't ready for it. |
Hello @Ousret , nice work here ... is there an ETA on when to expect this release to become available? Thank you |
No precise ETA. We are waiting upon the owner approval. |
Looks like it could be a big step forward if @jkbrzt approves it. Last week I wanted to test resolving over IPv4 vs IPv6. I found that the released version could not help with this task, but it worked perfectly in the fork, with the same |
non https server were expected to receive "secure" cookies...? this seems to be a bug that lied in Requests for quite some time.
dec765c
to
d9db5a2
Compare
Excited to see HTTP/2 and HTTP/3 soon landing in HTTPie 🎉
I was wondering if we could have an equivalent to cURL's http-version flags i.e |
Likewise!
I first need to add a feature into Niquests, which isn't top priority right now. regards, |
docs/README.md
Outdated
This will default to SSL v2.3 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. | ||
The available protocols are `ssl2.3`, `ssl3`, `tls1`, `tls1.1`, `tls1.2`, `tls1.3`. | ||
This will default to TLS v1.0 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. | ||
The available protocols are `tls1`, `tls1.1`, `tls1.2`, `tls1.3`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love the idea, and without digging any deeper into the changeset to verify my thoughts in implementation, I'm just raising it here for general discussion:
"This is will default to TLS v1.0 which will negotiate the highest protocol that both […] support."
- This sounds a bit confusing. It's either "This is will default to TLS v1.0" (which it should not), or "This is will default to a highest TLS version that both […]".
- Because the values don't mean "use as the lowest", but "use the chosen only" (i.e. not a tls12+ or a range, but tls12 only)
- I'd actually propose a magic value like "
tls
" (roughly meaning an alias toPROTOCOL_TLS_CLIENT
) that would use the highest protocol available. Not sure if that's the default thou, not sure if the client can have tls13 capability, but still use tls12 as a default? If default == max always, then there's prolly no need for such value, only way to use max protocol then is to omit the param though. Which would mean no "max" magic value would be listed in help/man among the "available protocols", which in turn might seem a bit confusing then. So an explicit value for max protocol available, even when it really doesn't do anything if that's the default, can still have its value for clarity. - Do you plan to silently accept the old "
ssl2.3
" value mapped to default, whatever that ends up to be, not to raise any errors?
-
Are you sure the "
tls1.3
" value works? It does not in master, and never did (since the openssl apis are different for TLSv13, and the change in flags structure [see 4. ↓] made it impossible to constrain without all*_OP_NO_*
used) — it only selects TLSv13 if that would have been the default anyways… -
Adding ranges, i.e. min=tls11 max=tls12, or just one constraint alone (to match the current python sslcontext, instead of selecting one version, or disabling individual one by one) would also be lovely at some point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, the "This is will default to ..." is kind of confusing. I've addressed that by rephrasing it.
- It is rephrased accordingly with "If not specified, it tries to negotiate the highest protocol that both the server and your installation of OpenSSL support."
- "tls1.3" case has been addressed, we are now assuming that "tls1.3" (associated to PROTOCOL_TLS_CLIENT) means strictly do tls 1.3, and appropriate measures have been made.
- old ssl2.3 value and alike are gone, completely, accepting them is only going to generate noise in GH issues. tls1.0 is the absolute minimum nowadays. nothing in CPython 3.7+ (+whether OpenSSL 1.1.1+ or 3+) permit to support them. so it will ends up with errors no matter what we do.
- The range of accepted tls version should be dealt with separately, I don't want to further increase this PR size, thus delaying it further on. I agree it can be useful, but it's not top priority as we speak.
regards,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To demonstrate --ssl=tls1.3
is working, run https --ssl=tls1.3 https://tls-v1-2.badssl.com:1012/
94c960e
to
7cd6579
Compare
7cd6579
to
e3cbc7f
Compare
This PR showcases how HTTPie could evolve outside of Requests.
Niquests is supposed to be a (mostly) compatible fork of Requests.
Try this preview:
$ pip install "git+https://github.com/Ousret/HTTPie.git@feature-tryout-niquests" -U
Here are the biggest pros of this:
Obviously, cons:
Complete list of changes in the fork: https://github.com/jawah/niquests/blob/main/HISTORY.md
http
#1527--download
reports an "incomplete download" with Content-Encoding: gzip and content-length. #4234.0.0.b1 (unreleased)
User-Agent
, andAccept-Encoding
headers. (#1502)--resolver
. DNS over HTTPS, DNS over TLS, DNS over QUIC, and DNS over UDP are accepted. (#99) (#1531)--interface
. (#1422) (#1531)--local-port
. (#1456) (#1531)-6
or-4
. (#94) (#1531)requests_toolbelt
in favor of directly includingMultipartEncoder
into HTTPie due to its direct dependency to requests. (#1531)multidict
in favor of implementing an internal one due to often missing pre-built wheels. (#1522) (#1531)This fix has the particularity to consider 0 byte long stdin buffer as absent stdin. Empty stdin buffer will be ignored.
-1
to retrieve packets as they arrive. (#1531)From the HTTPie user perspective, they are "prettified" on the output by default. e.g. "x-hello-world" is displayed as "X-Hello-World".
.localhost
to the default loopback address. (#1458) (#1527)Existing plugins are expected to work without any changes. The only caveat would be that certain plugin explicitly require
requests
.Future contributions may be made in order to relax the constraints where applicable.