Fix SSL certificate verification failure for hostnames with trailing dots

noreply · noreply · commit d112833142e3 · 2026-03-23T03:14:30.000+08:00
Python's ssl module does not handle trailing dots in server_hostname, causing CERTIFICATE_VERIFY_FAILED errors for fully qualified domain names (FQDNs) like 'example.com.'. This fix strips the trailing dot from server_hostname at the connection level before passing it to SSL backends, following the same approach used by urllib3. The underlying DNS resolution still uses the original hostname with the trailing dot. Fixes #1063
diff --git a/httpcore/_async/connection.py b/httpcore/_async/connection.py
@@ -148,8 +148,9 @@ async def _connect(self, request: Request) -> AsyncNetworkStream:
 
                     kwargs = {
                         "ssl_context": ssl_context,
-                        "server_hostname": sni_hostname
-                        or self._origin.host.decode("ascii"),
+                        "server_hostname": (
+                            sni_hostname or self._origin.host.decode("ascii")
+                        ).rstrip("."),
                         "timeout": timeout,
                     }
                     async with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_async/http_proxy.py b/httpcore/_async/http_proxy.py
@@ -309,7 +309,7 @@ async def handle_async_request(self, request: Request) -> Response:
 
                 kwargs = {
                     "ssl_context": ssl_context,
-                    "server_hostname": self._remote_origin.host.decode("ascii"),
+                    "server_hostname": self._remote_origin.host.decode("ascii").rstrip("."),
                     "timeout": timeout,
                 }
                 async with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_async/socks_proxy.py b/httpcore/_async/socks_proxy.py
@@ -258,8 +258,9 @@ async def handle_async_request(self, request: Request) -> Response:
 
                         kwargs = {
                             "ssl_context": ssl_context,
-                            "server_hostname": sni_hostname
-                            or self._remote_origin.host.decode("ascii"),
+                            "server_hostname": (
+                                sni_hostname or self._remote_origin.host.decode("ascii")
+                            ).rstrip("."),
                             "timeout": timeout,
                         }
                         async with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_sync/connection.py b/httpcore/_sync/connection.py
@@ -148,8 +148,9 @@ def _connect(self, request: Request) -> NetworkStream:
 
                     kwargs = {
                         "ssl_context": ssl_context,
-                        "server_hostname": sni_hostname
-                        or self._origin.host.decode("ascii"),
+                        "server_hostname": (
+                            sni_hostname or self._origin.host.decode("ascii")
+                        ).rstrip("."),
                         "timeout": timeout,
                     }
                     with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_sync/http_proxy.py b/httpcore/_sync/http_proxy.py
@@ -309,7 +309,7 @@ def handle_request(self, request: Request) -> Response:
 
                 kwargs = {
                     "ssl_context": ssl_context,
-                    "server_hostname": self._remote_origin.host.decode("ascii"),
+                    "server_hostname": self._remote_origin.host.decode("ascii").rstrip("."),
                     "timeout": timeout,
                 }
                 with Trace("start_tls", logger, request, kwargs) as trace:
diff --git a/httpcore/_sync/socks_proxy.py b/httpcore/_sync/socks_proxy.py
@@ -258,8 +258,9 @@ def handle_request(self, request: Request) -> Response:
 
                         kwargs = {
                             "ssl_context": ssl_context,
-                            "server_hostname": sni_hostname
-                            or self._remote_origin.host.decode("ascii"),
+                            "server_hostname": (
+                                sni_hostname or self._remote_origin.host.decode("ascii")
+                            ).rstrip("."),
                             "timeout": timeout,
                         }
                         with Trace("start_tls", logger, request, kwargs) as trace:

Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,7 @@ async def handle_async_request(self, request: Request) -> Response:`
`309`	`309`
`310`	`310`	`kwargs = {`
`311`	`311`	`"ssl_context": ssl_context,`
`312`		`- "server_hostname": self._remote_origin.host.decode("ascii"),`
	`312`	`+ "server_hostname": self._remote_origin.host.decode("ascii").rstrip("."),`
`313`	`313`	`"timeout": timeout,`
`314`	`314`	`}`
`315`	`315`	`async with Trace("start_tls", logger, request, kwargs) as trace:`
Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,7 @@ def handle_request(self, request: Request) -> Response:`
`309`	`309`
`310`	`310`	`kwargs = {`
`311`	`311`	`"ssl_context": ssl_context,`
`312`		`- "server_hostname": self._remote_origin.host.decode("ascii"),`
	`312`	`+ "server_hostname": self._remote_origin.host.decode("ascii").rstrip("."),`
`313`	`313`	`"timeout": timeout,`
`314`	`314`	`}`
`315`	`315`	`with Trace("start_tls", logger, request, kwargs) as trace:`