Skip to content

Skip TLS-in-TLS warning when proxy is not HTTPS#12238

Merged
Dreamsorcerer merged 1 commit intoaio-libs:masterfrom
wavebyrd:fix-tls-in-tls-warning-10683
Mar 16, 2026
Merged

Skip TLS-in-TLS warning when proxy is not HTTPS#12238
Dreamsorcerer merged 1 commit intoaio-libs:masterfrom
wavebyrd:fix-tls-in-tls-warning-10683

Conversation

@wavebyrd
Copy link
Copy Markdown
Contributor

@wavebyrd wavebyrd commented Mar 13, 2026

Summary

  • The _warn_about_tls_in_tls warning was firing for all HTTPS requests through any proxy, but TLS-in-TLS only applies when the proxy itself uses HTTPS.
  • When the proxy is HTTP, start_tls upgrades a plain TCP connection, which is not TLS-in-TLS and works fine everywhere.
  • Added a check for req.proxy.scheme so the warning is only emitted when the proxy is actually HTTPS.

Fixes #10683

Test plan

  • Existing test_https_proxy_unsupported_tls_in_tls covers the HTTPS-proxy case and should still pass (warning still fires for HTTPS proxies on old Python).
  • HTTPS requests through an HTTP proxy no longer produce the misleading warning.

@psf-chronographer psf-chronographer bot added the bot:chronographer:provided There is a change note present in this PR label Mar 13, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 13, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.11%. Comparing base (46e4cad) to head (9d16210).
⚠️ Report is 2 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #12238   +/-   ##
=======================================
  Coverage   99.10%   99.11%           
=======================================
  Files         130      130           
  Lines       45402    45404    +2     
  Branches     2399     2400    +1     
=======================================
+ Hits        44997    45000    +3     
  Misses        273      273           
+ Partials      132      131    -1
Flag Coverage Δ
CI-GHA 98.96% <100.00%> (+<0.01%) ⬆️
OS-Linux 98.70% <100.00%> (-0.01%) ⬇️
OS-Windows 96.97% <100.00%> (-0.01%) ⬇️
OS-macOS 97.86% <100.00%> (+<0.01%) ⬆️
Py-3.10.11 97.41% <100.00%> (-0.01%) ⬇️
Py-3.10.19 97.88% <100.00%> (-0.01%) ⬇️
Py-3.10.20 ?
Py-3.11.14 98.09% <100.00%> (+0.13%) ⬆️
Py-3.11.15 ?
Py-3.11.9 97.62% <100.00%> (+<0.01%) ⬆️
Py-3.12.10 97.70% <100.00%> (+<0.01%) ⬆️
Py-3.12.12 98.18% <100.00%> (+<0.01%) ⬆️
Py-3.12.13 ?
Py-3.13.12 98.42% <100.00%> (-0.01%) ⬇️
Py-3.14.3 98.49% <100.00%> (+<0.01%) ⬆️
Py-3.14.3t 97.48% <100.00%> (+<0.01%) ⬆️
Py-pypy3.11.13-7.3.20 97.53% <100.00%> (+<0.01%) ⬆️
VM-macos 97.86% <100.00%> (+<0.01%) ⬆️
VM-ubuntu 98.70% <100.00%> (-0.01%) ⬇️
VM-windows 96.97% <100.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq bot commented Mar 13, 2026
edited
Loading

Merging this PR will not alter performance

✅ 59 untouched benchmarks

Comparing wavebyrd:fix-tls-in-tls-warning-10683 (9d16210) with master (46e4cad)1

Open in CodSpeed

Footnotes

  1. No successful run was found on master (66c7205) during the generation of this report, so 46e4cad was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@wavebyrd wavebyrd force-pushed the fix-tls-in-tls-warning-10683 branch from b495be5 to 0c0dbbd Compare March 13, 2026 21:20
@Dreamsorcerer
Copy link
Copy Markdown
Member

Dreamsorcerer commented Mar 15, 2026

@wavebyrd Not sure what you just force pushed, but going to need that reverted to have any chance of reviewing this.

@wavebyrd
Skip TLS-in-TLS warning when proxy is not HTTPS
9d16210 
The warning in _warn_about_tls_in_tls was firing for all HTTPS
requests going through any proxy, but TLS-in-TLS only applies
when the proxy itself is HTTPS. When the proxy is HTTP, start_tls
just upgrades a plain TCP connection, which works fine on all
event loops and Python versions.

Fixes aio-libs#10683
@wavebyrd wavebyrd force-pushed the fix-tls-in-tls-warning-10683 branch from 0c0dbbd to 9d16210 Compare March 16, 2026 13:21
@wavebyrd
Copy link
Copy Markdown
Contributor Author

wavebyrd commented Mar 16, 2026

Fixed - rebased cleanly on master. Now shows just the single commit with the fix. Sorry for the confusion!

@wavebyrd
Copy link
Copy Markdown
Contributor Author

wavebyrd commented Mar 16, 2026

Ping - this skips the TLS-in-TLS warning when the proxy isn't HTTPS. Ready for review!

@Dreamsorcerer Dreamsorcerer added the backport-3.14 Trigger automatic backporting to the 3.14 release branch by Patchback robot label Mar 16, 2026
@Dreamsorcerer Dreamsorcerer merged commit 24cb8c9 into aio-libs:master Mar 16, 2026
44 of 45 checks passed
@patchback
Copy link
Copy Markdown
Contributor

patchback bot commented Mar 16, 2026
edited
Loading

Backport to 3.14: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.14/24cb8c9ca414dcda009717c0872019e62fc4ef3a/pr-12238

Backported as #12248

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

patchback bot pushed a commit that referenced this pull request Mar 16, 2026
@wavebyrd @patchback
Skip TLS-in-TLS warning when proxy is not HTTPS (#12238)
3abe98d 
(cherry picked from commit 24cb8c9)
@patchback patchback bot mentioned this pull request Mar 16, 2026
Merged
Dreamsorcerer pushed a commit that referenced this pull request Mar 16, 2026
@patchback @wavebyrd
[PR #12238/24cb8c9c backport][3.14] Skip TLS-in-TLS warning when prox…
2b256cf 
…y is not HTTPS (#12248)

**This is a backport of PR #12238 as merged into master
(24cb8c9).**

Co-authored-by: wavebyrd <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@webknjaz webknjaz Awaiting requested review from webknjaz webknjaz is a code owner

@asvetlov asvetlov Awaiting requested review from asvetlov asvetlov is a code owner

Assignees

No one assigned

Labels

backport-3.14 Trigger automatic backporting to the 3.14 release branch by Patchback robot bot:chronographer:provided There is a change note present in this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missliding warning in aiohttp.connector.TCPConnector in Python 3.11 using uvloop with local proxy via https

2 participants

@wavebyrd @Dreamsorcerer