Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL certificate error prints traceback despite being caught. #3912

Closed
synchronizing opened this issue Jul 19, 2019 · 4 comments
Closed

SSL certificate error prints traceback despite being caught. #3912

synchronizing opened this issue Jul 19, 2019 · 4 comments
Labels
duplicate

Comments

@synchronizing
Copy link

synchronizing commented Jul 19, 2019
edited
Loading

Long story short

As the title suggests, in some specific cases ssl prints error traceback when utilizing ClientSession().get(), despite explicit catch with try/except.

Expected behaviour

If an error is caught neither error nor traceback should be shown.

Actual behaviour

Despite being caught ssl error traceback still prints.

Steps to reproduce

import asyncio
import aiohttp

async def test():
    try:
        async with aiohttp.ClientSession() as session:
            async with session.get(
                url="https://incomplete-chain.badssl.com/"
            ) as response:
                resp = await response.read()

        print("Got response. Length of {}".format(len(resp)))
    except:
        print("Error thrown!")

asyncio.run(test())

Outputs:

SSL handshake failed on verifying the certificate
protocol: <asyncio.sslproto.SSLProtocol object at 0x10de81668>
transport: <_SelectorSocketTransport fd=9 read=polling write=<idle, bufsize=0>>
Traceback (most recent call last):
  File "/Users/felipe/.pyenv/versions/3.7.2/lib/python3.7/asyncio/sslproto.py", line 625, in _on_handshake_complete
    raise handshake_exc
  File "/Users/felipe/.pyenv/versions/3.7.2/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "/Users/felipe/.pyenv/versions/3.7.2/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
SSL error in data received
protocol: <asyncio.sslproto.SSLProtocol object at 0x10de81668>
transport: <_SelectorSocketTransport closing fd=9 read=idle write=<idle, bufsize=0>>
Traceback (most recent call last):
  File "/Users/felipe/.pyenv/versions/3.7.2/lib/python3.7/asyncio/sslproto.py", line 526, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/Users/felipe/.pyenv/versions/3.7.2/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "/Users/felipe/.pyenv/versions/3.7.2/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
Error thrown!

Your environment

Python 3.7.2
aiohttp 3.5.4
OpenSSL 1.1.1c

Side Note

Some SSL certificates still get past the aiohttp SSL checks despite being invalid and caught by Chrome (I understand this has to do with ssl and not aiohttp, but just a sidenote.)
@synchronizing
Copy link
Author

Unfortunately, I can't seem to be able to build aiohttp to attempt some fixes on my end for PR. My best bet on the issue is the following lines:

aiohttp/aiohttp/client_exceptions.py

Lines 224 to 225 in 7a324fd

cert_errors = (ssl.CertificateError,)
cert_errors_bases = (ClientSSLError, ssl.CertificateError,)

Which should also include ssl.SSLCertVerificationError, which was introduced in ssl version 3.7. It is also worth mentioning that ssl.SSLCertVerificationError is now the officially thrown exception for ssl.CertificateError, according to their docs here.

@Harmon758
Copy link
Member

Duplicate of #3675.
As those docs say, ssl.CertificateError is an alias for ssl.SSLCertVerificationError.
This is an issue with asyncio, rather than aiohttp, and should be fixed in Python 3.7.4 and 3.8.
See https://bugs.python.org/issue37035, python/cpython#13548, #3535, and https://stackoverflow.com/q/52012488/6191255.

@synchronizing
Copy link
Author

Duplicate of #3675.
As those docs say, ssl.CertificateError is an alias for ssl.SSLCertVerificationError.
This is an issue with asyncio, rather than aiohttp, and should be fixed in Python 3.7.4 and 3.8.
See https://bugs.python.org/issue37035, python/cpython#13548, #3535, and https://stackoverflow.com/q/52012488/6191255.

Awesome, thank you for clarifying! Closing issue.

@dejurin
Copy link

dejurin commented Aug 30, 2022

SSLCertVerificationError problem is not solved.
Python 3.10.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@synchronizing @dejurin @Harmon758