Skip to content

strip trailing dot from FQDN hostnames for TLS SNI#1007

Open
mbeijen wants to merge 1 commit into
pydantic:mainfrom
mbeijen:fix/trailing-dot-fqdn-sni
Open

strip trailing dot from FQDN hostnames for TLS SNI#1007
mbeijen wants to merge 1 commit into
pydantic:mainfrom
mbeijen:fix/trailing-dot-fqdn-sni

Conversation

@mbeijen
Copy link
Copy Markdown
Contributor

@mbeijen mbeijen commented Jun 1, 2026
edited
Loading

Summary

  • Adds Origin.normalized_host as the single source of truth for hostname → ASCII conversion + trailing FQDN-dot stripping.
  • All DNS connect, SOCKS5 target, and TLS SNI callsites in httpcore2 (_async/connection.py, _async/http_proxy.py, _async/socks_proxy.py + unasync'd _sync/ mirrors) now use origin.normalized_host. Origin.__str__ does the same. Raw Origin.host bytes are preserved.
  • Fixes the CERTIFICATE_VERIFY_FAILED: Host name mismatch that triggers when a request URL is given an FQDN with a trailing dot (e.g. https://myhost.internal./).

Fixes encode/httpcore#1063. Approach matches upstream PR encode/httpcore#1068 (same author as the httpcorexyz fork commit this is ported from); see also alternative proposals #1067, #1074, #1086.

Note: this change was prepared with AI assistance (Claude Code).

@mbeijen
Strip trailing dot from FQDN hostnames for TLS SNI
d1faecc 
Hostnames like 'myhost.internal.' (with a trailing dot) are valid FQDNs
used to mark fully-qualified names in DNS. However, TLS certificates use
'myhost.internal' (without the dot), so passing the raw FQDN through to
the SSL handshake causes CERTIFICATE_VERIFY_FAILED: Host name mismatch.

Add Origin.normalized_host as the single source of truth: it decodes the
host bytes to ASCII and strips any trailing FQDN dot. All connection,
proxy, and SOCKS callsites now use origin.normalized_host, and
Origin.__str__ does the same. Raw Origin.host bytes are preserved.

Fixes encode/httpcore#1063. Adopts the approach of upstream PR
encode/httpcore#1068 (same author as the httpcorexyz fork commit);
see also alternative proposals #1067, #1074, #1086.

Co-Authored-By: naarob <laforge@forge-sync.local>
@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Jun 1, 2026

Merging this PR will not alter performance

✅ 15 untouched benchmarks
⏩ 7 skipped benchmarks1

Comparing mbeijen:fix/trailing-dot-fqdn-sni (d1faecc) with main (04f3804)

Open in CodSpeed

Footnotes

  1. 7 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 10 files

Re-trigger cubic

@mbeijen mbeijen changed the title httpcore2: strip trailing dot from FQDN hostnames for TLS SNI strip trailing dot from FQDN hostnames for TLS SNI Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@mbeijen