Skip to content

fix: keep TLS verification on by default behind a proxy#7

Open
enieuwy wants to merge 1 commit into
Rimagination:mainfrom
enieuwy:fix/tls-verify-default
Open

fix: keep TLS verification on by default behind a proxy#7
enieuwy wants to merge 1 commit into
Rimagination:mainfrom
enieuwy:fix/tls-verify-default

Conversation

@enieuwy

@enieuwy enieuwy commented Jun 29, 2026

Copy link
Copy Markdown

Problem

instsci/http_utils.py disabled TLS certificate verification for every
request as soon as any HTTP_PROXY / HTTPS_PROXY (or lowercase) env var was
set:

if os.environ.get("HTTP_PROXY") or os.environ.get("HTTPS_PROXY") or ...:
    _SSL_VERIFY = False
    urllib3.disable_warnings(...)

The intent was to tolerate self-signed certs on local library connectors, but
the blast radius is the whole HTTP layer. Anyone who runs InstSci with a proxy
configured (common on university networks / VPNs — exactly the institutional
setting this tool targets) silently sends all traffic, including
authenticated institutional sessions and publisher requests, without
certificate verification, exposing them to interception.

Change

  • TLS verification stays on by default, including behind a proxy.
  • To trust a self-signed connector CA, set REQUESTS_CA_BUNDLE (honoured
    natively by requests) — the standard, safe mechanism.
  • Verification can be disabled only by an explicit, deliberate
    INSTSCI_INSECURE_TLS opt-in, which logs a loud warning each load.

No change to request_with_retry's behaviour beyond the default it inherits.

Testing

Added tests/test_http_utils_tls.py covering:

  • verify on by default,
  • verify still on behind a proxy (the regression),
  • verify off only with explicit opt-in,
  • truthy/falsey opt-in parsing.

Based on main; does not touch files in flight on codex/instsci-user-install-doctor.

http_utils disabled certificate verification for *all* requests as soon
as any HTTP(S)_PROXY env var was present. That silently exposed every
request -- including authenticated institutional sessions and publisher
traffic -- to interception, far beyond the self-signed local-connector
case it was meant to support.

Verification now stays on by default, even behind a proxy. To trust a
self-signed connector CA, set REQUESTS_CA_BUNDLE (honoured natively by
requests). Verification is disabled only via an explicit
INSTSCI_INSECURE_TLS opt-in, which logs a loud warning.

Adds tests: default-on, proxy-still-on, explicit opt-in, falsey values.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant