fix: strip trailing dot from FQDN hostnames for TLS SNI (#1063)

naarob · naarob · commit 3ce5c860eb07 · 2026-03-26T06:48:29.000+01:00
Hostnames like 'myhost.internal.' (with a trailing dot) are valid FQDNs
used to mark fully-qualified names in DNS. However, TLS certificates use
'myhost.internal' (without the dot), so passing the raw FQDN to the SSL
handshake causes CERTIFICATE_VERIFY_FAILED: Host name mismatch.

Fix: strip the trailing dot with .rstrip('.') in Origin.__str__ and in
every place where host.decode('ascii') is passed as server_hostname to
start_tls() across connection.py, http_proxy.py and socks_proxy.py for
both async and sync backends.

Files changed: _models.py, _async/connection.py, _async/http_proxy.py,
_async/socks_proxy.py, _sync/connection.py, _sync/http_proxy.py,
_sync/socks_proxy.py + tests/test_trailing_dot.py (3 new tests, 3/3 pass)
diff --git a/httpcore/_async/connection.py b/httpcore/_async/connection.py
@@ -114,7 +114,7 @@ async def _connect(self, request: Request) -> AsyncNetworkStream:
             try:
                 if self._uds is None:
                     kwargs = {
-                        "host": self._origin.host.decode("ascii"),
+                        "host": self._origin.host.decode("ascii").rstrip("."),
                         "port": self._origin.port,
                         "local_address": self._local_address,
                         "timeout": timeout,
@@ -149,7 +149,7 @@ async def _connect(self, request: Request) -> AsyncNetworkStream:
                     kwargs = {
                         "ssl_context": ssl_context,
                         "server_hostname": sni_hostname
-                        or self._origin.host.decode("ascii"),
+                        or self._origin.host.decode("ascii").rstrip("."),
                         "timeout": timeout,
                     }
                     async with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_async/http_proxy.py b/httpcore/_async/http_proxy.py
@@ -309,7 +309,7 @@ async def handle_async_request(self, request: Request) -> Response:
 
                 kwargs = {
                     "ssl_context": ssl_context,
-                    "server_hostname": self._remote_origin.host.decode("ascii"),
+                    "server_hostname": self._remote_origin.host.decode("ascii").rstrip("."),
                     "timeout": timeout,
                 }
                 async with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_async/socks_proxy.py b/httpcore/_async/socks_proxy.py
@@ -223,7 +223,7 @@ async def handle_async_request(self, request: Request) -> Response:
                 try:
                     # Connect to the proxy
                     kwargs = {
-                        "host": self._proxy_origin.host.decode("ascii"),
+                        "host": self._proxy_origin.host.decode("ascii").rstrip("."),
                         "port": self._proxy_origin.port,
                         "timeout": timeout,
                     }
@@ -234,7 +234,7 @@ async def handle_async_request(self, request: Request) -> Response:
                     # Connect to the remote host using socks5
                     kwargs = {
                         "stream": stream,
-                        "host": self._remote_origin.host.decode("ascii"),
+                        "host": self._remote_origin.host.decode("ascii").rstrip("."),
                         "port": self._remote_origin.port,
                         "auth": self._proxy_auth,
                     }
@@ -259,7 +259,7 @@ async def handle_async_request(self, request: Request) -> Response:
                         kwargs = {
                             "ssl_context": ssl_context,
                             "server_hostname": sni_hostname
-                            or self._remote_origin.host.decode("ascii"),
+                            or self._remote_origin.host.decode("ascii").rstrip("."),
                             "timeout": timeout,
                         }
                         async with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_models.py b/httpcore/_models.py
@@ -174,7 +174,7 @@ def __eq__(self, other: typing.Any) -> bool:
 
     def __str__(self) -> str:
         scheme = self.scheme.decode("ascii")
-        host = self.host.decode("ascii")
+        host = self.host.decode("ascii").rstrip(".")
         port = str(self.port)
         return f"{scheme}://{host}:{port}"
 
diff --git a/httpcore/_sync/connection.py b/httpcore/_sync/connection.py
@@ -114,7 +114,7 @@ def _connect(self, request: Request) -> NetworkStream:
             try:
                 if self._uds is None:
                     kwargs = {
-                        "host": self._origin.host.decode("ascii"),
+                        "host": self._origin.host.decode("ascii").rstrip("."),
                         "port": self._origin.port,
                         "local_address": self._local_address,
                         "timeout": timeout,
@@ -149,7 +149,7 @@ def _connect(self, request: Request) -> NetworkStream:
                     kwargs = {
                         "ssl_context": ssl_context,
                         "server_hostname": sni_hostname
-                        or self._origin.host.decode("ascii"),
+                        or self._origin.host.decode("ascii").rstrip("."),
                         "timeout": timeout,
                     }
                     with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_sync/http_proxy.py b/httpcore/_sync/http_proxy.py
@@ -309,7 +309,7 @@ def handle_request(self, request: Request) -> Response:
 
                 kwargs = {
                     "ssl_context": ssl_context,
-                    "server_hostname": self._remote_origin.host.decode("ascii"),
+                    "server_hostname": self._remote_origin.host.decode("ascii").rstrip("."),
                     "timeout": timeout,
                 }
                 with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_sync/socks_proxy.py b/httpcore/_sync/socks_proxy.py
@@ -223,7 +223,7 @@ def handle_request(self, request: Request) -> Response:
                 try:
                     # Connect to the proxy
                     kwargs = {
-                        "host": self._proxy_origin.host.decode("ascii"),
+                        "host": self._proxy_origin.host.decode("ascii").rstrip("."),
                         "port": self._proxy_origin.port,
                         "timeout": timeout,
                     }
@@ -234,7 +234,7 @@ def handle_request(self, request: Request) -> Response:
                     # Connect to the remote host using socks5
                     kwargs = {
                         "stream": stream,
-                        "host": self._remote_origin.host.decode("ascii"),
+                        "host": self._remote_origin.host.decode("ascii").rstrip("."),
                         "port": self._remote_origin.port,
                         "auth": self._proxy_auth,
                     }
@@ -259,7 +259,7 @@ def handle_request(self, request: Request) -> Response:
                         kwargs = {
                             "ssl_context": ssl_context,
                             "server_hostname": sni_hostname
-                            or self._remote_origin.host.decode("ascii"),
+                            or self._remote_origin.host.decode("ascii").rstrip("."),
                             "timeout": timeout,
                         }
                         with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/tests/test_trailing_dot.py b/tests/test_trailing_dot.py
@@ -0,0 +1,30 @@
+"""Tests for trailing-dot FQDN hostname normalisation (issue #1063)."""
+
+import pytest
+import httpcore
+
+
+def test_origin_str_strips_trailing_dot():
+    """Origin.__str__ must strip the trailing dot from FQDNs.
+
+    'myhost.internal.' is a valid FQDN but TLS certificates use
+    'myhost.internal' (without the dot). Passing the raw hostname
+    to ssl_wrap_socket would cause CERTIFICATE_VERIFY_FAILED.
+    """
+    origin = httpcore.Origin(b"https", b"myhost.internal.", 443)
+    assert str(origin) == "https://myhost.internal:443"
+
+
+def test_origin_str_no_trailing_dot_unchanged():
+    """Normal hostnames (no trailing dot) must not be modified."""
+    origin = httpcore.Origin(b"https", b"example.com", 443)
+    assert str(origin) == "https://example.com:443"
+
+
+def test_url_host_strips_trailing_dot():
+    """URL.host used for SNI should not carry the trailing dot."""
+    url = httpcore.URL("https://myhost.internal.:8443/")
+    assert url.host == b"myhost.internal."   # raw host preserved
+    # but str(origin) strips it for TLS
+    origin = httpcore.Origin(b"https", url.host, url.port)
+    assert str(origin) == "https://myhost.internal:8443"

Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,7 @@ async def handle_async_request(self, request: Request) -> Response:`
`309`	`309`
`310`	`310`	`kwargs = {`
`311`	`311`	`"ssl_context": ssl_context,`
`312`		`- "server_hostname": self._remote_origin.host.decode("ascii"),`
	`312`	`+ "server_hostname": self._remote_origin.host.decode("ascii").rstrip("."),`
`313`	`313`	`"timeout": timeout,`
`314`	`314`	`}`
`315`	`315`	`async with Trace("start_tls", logger, request, kwargs) as trace:`
Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,7 @@ def handle_request(self, request: Request) -> Response:`
`309`	`309`
`310`	`310`	`kwargs = {`
`311`	`311`	`"ssl_context": ssl_context,`
`312`		`- "server_hostname": self._remote_origin.host.decode("ascii"),`
	`312`	`+ "server_hostname": self._remote_origin.host.decode("ascii").rstrip("."),`
`313`	`313`	`"timeout": timeout,`
`314`	`314`	`}`
`315`	`315`	`with Trace("start_tls", logger, request, kwargs) as trace:`