HTTPs Proxies not working.

[parthaa]

Version
tfm-pulpcore-python3-pulpcore-3.17.7-1.el7.noarch
tfm-pulpcore-python3-aiohttp-3.8.1-2.el7.x86_64

Describe the bug
There was HTTPS proxy tunneling support added to the aiohttp library for 3.8.1 => aio-libs/aiohttp#5992
However pulpcore does not

1. Have the necessary bindings to get this mode to run.
2. Expects the CA Cert of the proxy to be concatenated to the repo's remote CA cert instead of expecting it in the default trust store (as it used to do in pulp2).

To Reproduce
Steps to reproduce the behavior:

• Setup a https proxy or ping me about one
• Add the proxy's cacert to the default trust store.
• Add a repo remote with the feed and proxy urls
• Sync

Expected behavior
Clean Sync

Actual behavior
SSL error while trying to connect to the proxy.

[parthaa]

Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1993917

[dkliban]

This works with Python 3.11. Closing the issue since Pulp is not in the position to update Python for users.

[dralley]

@dkliban Does this work immediately with Python 3.11 or are other patches required? Because I see Partha's PR which monkeypatches the internal flag that enables this support, but that's not all it does, it does other things too.

Will we need to adopt some or all of those other changes in order for this to work? If so then this issue ought to be reopened because we won't get this resolved for free by upgrading the Python runtime.

[dkliban]

This should just work with Python 3.11. There are no code changes in Pulp required.

[ggainey]

Reopening - while python/3.11 and recent aiohttp will (finally) allow this, Pulp still needs to load the system-allowed certstore to be able to trust an HTTPS proxy's CA.