Hostnames With Trailing Dots Fail TLS Certificate Check In Sync Backend

[rjduffner]

When using httpx in a sync setting, we noticed that host names with trailing dots such as, myhost.mycompany.internal. (to mark them as fully qualified in the dns) were failing with

httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Host name mismatch, certificate is not valid for 'myhost.mycompany.internal.'. (_ssl.c:1032)

However, the same request without the trailing dot in the host name works just fine.

I've seen this issue a few times in various libraries and in all cases, it was solved by stripping off the dot off the end of the host name before sending it to ssl.

Note, the ssl team in python has said this is an application layer issue. (https://bugs.python.org/issue31997).

Here is what urllib3 does for this, https://github.com/urllib3/urllib3/blob/9ff0acf2391c80b363ddb08a566f38d707dc9826/src/urllib3/connection.py#L170-L186 if that helps at all.

For httpx and httpcore, I think for the sync side, the change should be in

httpcore.._backends.sync.py:48

diff --git a/httpcore/_backends/sync.py b/httpcore/_backends/sync.py
index 4018a09..94edf08 100644
--- a/httpcore/_backends/sync.py
+++ b/httpcore/_backends/sync.py
@@ -45,7 +45,7 @@ class TLSinTLSStream(NetworkStream):  # pragma: no cover
         self.ssl_obj = ssl_context.wrap_bio(
             incoming=self._incoming,
             outgoing=self._outgoing,
-            server_hostname=server_hostname,
+            server_hostname=server_hostname.rstrip(".") if server_hostname else None,
         )

         self._sock.settimeout(timeout)

Forgive my lack of knowledge on the async side but I think any fix there would be in the downstream libraries, anyio and trio.