Releases: jawah/urllib3.future
Version 2.2.902
2.2.902 (2023-11-05)
- Fixed QUIC connection not taking
cert_datadue to an accidental variable override.
Version 2.2.901
2.2.901 (2023-11-04)
- Fixed several issues with multiplexing.
(i) Fixed max concurrent streams in HTTP/2, and HTTP/3.
(ii) Fixed tracking of unconsumed response prior to try to upgrade the connection (to HTTP/3).
(iii) Fixed (always) releasing multiplexed connections into the pool.
(iv) Fixed request having body interrupted by theEarlyResponseexception 'signal'.
Version 2.2.900
2.2.900 (2023-11-01)
-
Added support for in-memory client (intermediary) certificate to be used with mTLS.
This feature compensates for the complete removal ofpyOpenSSL. Unfortunately, it is only
available on Linux, OpenBSD, and FreeBSD. Using newly addedcert_dataandkey_dataarguments
inHTTPSConnectionandHTTPSPoolConnectionyou will be capable of passing the certificate along with
its key without getting nowhere near your filesystem.
MacOS and Windows are not concerned by this feature when using HTTP/1.1, and HTTP/2 with TLS over TCP. -
Removed remnant
SSLTransport.makefileas it was built to circumvent a legacy constraint when urllib3 depended upon
http.client. -
Bumped minimum requirement for
qh3to version 0.13.0 in order to support in-memory client certificate (mTLS). -
Symbolic complete detachment from
http.client. Removed all references and imports tohttp.client. Farewell! -
Changed the default ciphers in default SSLContext for an increased security level.
Rational: Earlier in v2.1.901 we initialized the SSLContext ciphers with the valueDEFAULTbut after much
consideration, after we saw that the associated ciphers (e.g.DEFAULTfrom OpenSSL) includes some weak suites
we decided to inject a rather safer and limited cipher suite. It is based on https://ssl-config.mozilla.org
Starting now, urllib3.future will match Mozilla cipher recommendations (intermediary) and will regularly update the suite. -
Added support for multiplexed connection. HTTP/2 and HTTP/3 can benefit from this.
urllib3.future no longer blocks whenurlopen(...)is invoked usingmultiplexed=True, and return
aResponsePromiseinstead of aHTTPResponse. You may dispatch as many requests as the protocol
permits you (concurrent stream) and then retrieve the response(s) using theget_response(...).
get_response(...)can take up to one kwarg to specify the target promise, if none is specified, will retrieve
the first available response.multiplexedis set to False by default and will likely be the default for a long
time.
Here is an example:from urllib3 import PoolManager with PoolManager() as pm: promise0 = pm.urlopen("GET", "https://pie.dev/delay/3", multiplexed=True) # <ResponsePromise 'IOYTFooi0bCuaQ9mwl4HaA==' HTTP/2.0 Stream[1]> promise1 = pm.urlopen("GET", "https://pie.dev/delay/1", multiplexed=True) # <ResponsePromise 'U9xT9dPVGnozL4wzDbaA3w==' HTTP/2.0 Stream[3]> response0 = pm.get_response() # the second request arrived first response0.json()["url"] # https://pie.dev/delay/1 # the first arrived last response1 = pm.get_response() response1.json()["url"] # https://pie.dev/delay/3
or you may do:
from urllib3 import PoolManager with PoolManager() as pm: promise0 = pm.urlopen("GET", "https://pie.dev/delay/3", multiplexed=True) # <ResponsePromise 'IOYTFooi0bCuaQ9mwl4HaA==' HTTP/2.0 Stream[1]> promise1 = pm.urlopen("GET", "https://pie.dev/delay/1", multiplexed=True) # <ResponsePromise 'U9xT9dPVGnozL4wzDbaA3w==' HTTP/2.0 Stream[3]> response0 = pm.get_response(promise=promise0) # forcing retrieving promise0 response0.json()["url"] # https://pie.dev/delay/3 # then pick first available response1 = pm.get_response() response1.json()["url"] # https://pie.dev/delay/1
You may do multiplexing using
PoolManager, andHTTPSPoolConnection. Connection upgrade
to HTTP/3 cannot be done until all in-flight requests are completed.
Be aware that a non-capable connection (e.g. HTTP/1.1) will just ignore themultiplexed=Truesetting
and act traditionally. -
Connections are now released into their respective pool when the connection supports multiplexing (HTTP/2, HTTP/3)
before the response has been consumed. This allows to have multiple responses half-consumed from a single connection.
Version 2.1.903
2.1.903 (2023-10-23)
- Removed
BaseHTTPConnection, andBaseHTTPSConnection.
Rationale: The initial idea, as far as I understand it, was to create aHTTPSConnectionper protocols, e.g.
HTTP/2, and HTTP/3. From the point of view ofurllib3.futureit was taken care of incontrib.hface
where the protocols state-machines are handled. We plan to always have a unifiedConnectionclass that
regroup all protocols for convenience. The private moduleurllib3._base_connectionis renamed tourllib3._typing.
It brings a lot of simplification, which is welcomed. - Reduced
BaseHTTPResponseto a mere alias ofHTTPResponsefor the same reasoning as before. There is absolutely
no need whatsoever in the foreseeable future to ship urllib3.future with an alternative implementation ofHTTPResponse.
It will be removed in a future major. - Removed
RECENT_DATEand linked logic as it does not make sense to (i) maintain it (ii) the certificate verification
failure won't be avoided anyway, so it is a warning prior to an unavoidable error. The warning classSystemTimeWarning
will be removed in a future major. - Added support for stopping sending body if the server responded early in HTTP/2, or HTTP/3.
This can happen when a server says that you exhausted the size limit or if previously sent
headers were rejected for example. This should save a lot of time for users in given cases. - Refactored scattered typing aliases across the sources.
urllib3._typingnow contain all of our definitions. - Avoid installation of
qh3in PyPy 3.11+ while pre-built wheels are unavailable.
Version 2.1.902
2.1.902 (2023-10-21)
- Fixed an issue where streaming response did not yield data until the stream was closed.
- Unified peercert/issuercert dict output in ConnectionInfo output format when HTTP/3.
- Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
Headerscontent-encoding, content-language, content-location, content-type, content-length, digest, last-modifiedare
also stripped in the said case.
Port of the security fix GHSA-g4mx-q9vg-27p4 _TYPE_BODYnow acceptIterable[str]in addition toIterable[bytes].
Version 2.1.901
2.1.901 (2023-10-10)
- Set
DEFAULT(as OpenSSL default list) for ciphers in SSLContext if none is provided instead of Python default. - Fixed an edge case where the chosen state machine would be indicated not to end stream where it should.
- Fixed a rare case where
ProtocolErrorwas raised instead ofSSLErrorin the underlying QUIC layer state machine. - Small performance improvement in sending a body by removing an obsolete logic made for a removed constraint.
- Changed default
User-Agenttourllib3.future/x.y.z. - Removed a compatibility operation that added a
Content-Lengthheader on request with an unknown body length.
This was present due to a bug in Traefik server. An investigation will be conducted and a relevant issue will be
addressed.
Version 2.1.900
2.1.900 (2023-10-07)
-
Added
cipherinConnectionInfowhen using HTTP/3 over QUIC. -
Added
issuer_certificate_der,issuer_certificate_dictintoConnectionInfo.By default, it is set to
None. This property is filled automatically on a QUIC connection.
It cannot be done automatically when using native Python capabilities. -
Removed support for SecureTransport.
-
Removed support for PyOpenSSL.
This module is not deleted but rendered ineffective. An explicit warning still appears.
-
Improved automated exchange between the socket and the HTTP state machines.
-
Removed all dependencies in the
secureextra. -
Fixed disabling HTTP/3 over QUIC if specified settings were incompatible with TLS over QUIC.
Previously if
ssl_contextwas set and specifying a list of ciphers it was discarded on upgrade.
Also, ifssl_maximum_versionwas set to TLS v1.2.
Now those parameters are correctly forwarded to the custom QUIC/TLS layer. -
Fixed
ConnectionInforepr that did not shown thehttp_versionproperty. -
Undeprecated 'ssl_version' option in create_urllib3_context.
-
Undeprecated 'format_header_param_rfc2231'.
-
Removed warning about the 'strict' parameter.
-
Removed constant
IS_PYOPENSSLandIS_SECURETRANSPORTfromurllib3.utils. -
Added raise warning when using environment variables
SSLKEYLOGFILE, andQUICLOGDIR. -
Added the
Cookieheader to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set viaRetry.remove_headers_on_redirect. -
Removed warning about ssl not being the
OpenSSLbackend. You are free to choose.Users are encouraged to report issues if any to the jawah/urllib3.future repository.
Support will be provided to the best of our abilities.
Version 2.0.936
2.0.936 (2023-10-01)
-
Added support for event
StreamResetto raise aProtocolErrorwhen received from either h2 or h3. (#28 <https://github.com/jawah/urllib3.future/issues/28>__) -
Fixed a violation in our QUIC transmission due to sending multiple datagrams at once. (
#26 <https://github.com/jawah/urllib3.future/issues/26>__)
Version 2.0.934
2.0.934 (2023-09-23)
-
Added public
ConnectionInfoclass that will be present in eachHttpConnectioninstance.Passing the kwarg
on_post_connectionthat accept a callable with a single positional argument
inPoolManager.urlopenmethod will result in a call each time a connection is picked out
of the pool. The function will be passed aConnectionInfoobject.
The same argument (on_post_connection) can be passed down to theHTTPConnectionPool.urlopenmethod. (#23 <https://github.com/jawah/urllib3.future/issues/23>__) -
#22 <https://github.com/jawah/urllib3.future/issues/22>__
Version 2.0.933
2.0.933 (2023-09-21)
Bugfixes
- Fixed
HTTPSConnectionPoolnot accepting and forwardingca_cert_data. (#20 <https://github.com/jawah/urllib3.future/issues/20>__)