Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't suppress all SSL verification errors #3292

Closed
dandrei opened this issue Sep 26, 2018 · 12 comments
Closed

Can't suppress all SSL verification errors #3292

dandrei opened this issue Sep 26, 2018 · 12 comments
Labels
bug invalid This doesn't seem right outdated

Comments

@dandrei
Copy link

dandrei commented Sep 26, 2018

Long story short

Can't suppress all SSL verification errors.

Expected behaviour

No errors should be thrown when injecting into the ClientSession a TCPConnector initialized with ssl=False .

Actual behaviour

Python dumps the exception stacktrace:

ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1045)

Steps to reproduce

Run this code:

import aiohttp

loop = asyncio.get_event_loop()

uri = 'https://www.000directory.com.ar'

async def test():
    async with aiohttp.ClientSession(connector=aiohttp.TCPConnector(ssl=False)) as session:
        async with session.get(uri) as r:
            print(r)

loop.run_until_complete(test())

Your environment

aiohttp 3.4.4
Ubuntu 16.04 (Python 3.5.5)
Windows 10 (Python 3.7)
@asvetlov
Copy link
Member

GitMate.io thinks possibly related issues are #2822 (Unexpected SSL error (CERTIFICATE_VERIFY_FAILED)), #3242 (Error), #2408 (SSL Errors are not caught by proxy connector), #272 (SSL documentation), and #1203 (CookieJar error).

@asvetlov asvetlov added bug invalid This doesn't seem right labels Sep 26, 2018
@asvetlov
Copy link
Member

ssl=False means SSL certificates check disabling, not disabling SSL at all.
Sorry, it is impossible.
If peers cannot agree on used SSL protocol version -- they just cannot work together.
Perhaps your server uses an old SSL version disabled by Python for security reasons.
Please learn how to create a custom ssl.SSLContext with passing a flag to enable compromised SSL modes.
The subject is out of aiohttp scope, standard python documentation can help: https://docs.python.org/3/library/ssl.html#ssl.create_default_context

@dandrei
Copy link
Author

dandrei commented Sep 26, 2018

Any way to prevent the stack trace from being displayed on stdout?

@asvetlov
Copy link
Member

Fixed in Python 3.8. No way to fix it in aiohttp itself.

@antfuentes87
Copy link

ssl=False means SSL certificates check disabling, not disabling SSL at all.
Sorry, it is impossible.
If peers cannot agree on used SSL protocol version -- they just cannot work together.
Perhaps your server uses an old SSL version disabled by Python for security reasons.
Please learn how to create a custom ssl.SSLContext with passing a flag to enable compromised SSL modes.
The subject is out of aiohttp scope, standard python documentation can help: https://docs.python.org/3/library/ssl.html#ssl.create_default_context

Can you give a example of creating a custom ssl.SSLContext and how it would be used in aiohttp? I been trying for awhile now but I keep running into issues. A simple example would be much appreciated.

@webknjaz
Copy link
Member

@antfuentes87

import ssl

from aiohttp import web

custom_context = ssl.create_default_context()
custom_context... # do things to it

web.run_app(..., ssl_context=custom_context, ...)

@antfuentes87
Copy link

antfuentes87 commented Dec 30, 2018
edited
Loading

@webknjaz

Thank you very much for the example. I did actually mange to get that far. The part I am struggling with is when @asvetlov said with passing a flag to enable compromised SSL modes. What does he mean by that and what dose that look like?

@webknjaz
Copy link
Member

Probably custom_context.verify_mode = ssl.CERT_NONE, it depends on your use-case. You should try to understand what you want first.

@antfuentes87
Copy link

Probably custom_context.verify_mode = ssl.CERT_NONE, it depends on your use-case. You should try to understand what you want first.

Yes that is what I was looking for. Thank you very much! Unfortunately it did not make ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number go away. Pretty sure there is nothing else I can try. Probably just have to wait to upgrade to Python 3.8

@webknjaz
Copy link
Member

That's because this error is not about cert verification. It's about the client trying to connect via plain http to https port.

verify_mode on server-side socket controls how server verifies client cert which you probably don't use. same on the client-side socket would let you ignore invalid server cert which but that's now where the exception is happening.

So no, this will not help you to suppress the exception. And yet, if it's a bug in asyncio you could try replacing it with something else, like uvloop.

@asvetlov
Copy link
Member

asvetlov commented Dec 30, 2018
edited
Loading

Try different ssl.PROTOCOL* values.
Maybe ssl.PROTOCOL_SSLv2 can help with outdated servers

@aio-libs-bot aio-libs-bot mentioned this issue Apr 1, 2019
Closed
@poljar poljar mentioned this issue May 8, 2019
Closed
@shmilylty shmilylty mentioned this issue Aug 16, 2019
Closed
@lock
Copy link

lock bot commented Jan 1, 2020

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

@lock lock bot added the outdated label Jan 1, 2020
@lock lock bot locked as resolved and limited conversation to collaborators Jan 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug invalid This doesn't seem right outdated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dandrei @asvetlov @webknjaz @antfuentes87