-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aiohttp cannot make HTTPS (SSL) requests in a Windows container #8430
Comments
|
Yeah, unless you have a specific suggestion of some way we are loading the certificates wrong, then this seems like an issue with the platform. If you want to use the certifi hack, similar to requests, then that is documented at: https://docs.aiohttp.org/en/stable/client_advanced.html#example-use-certifi |
The documentation has flaws, for example:
This may be true. But I am using the pattern that I do because other libraries, like
Nobody would be able to install things on Windows or macOS if this strategy were used with Many users with |
FTR, there's some good external discussions on the topic:
The latter also contains a recommendation of the PSF Security Developer-in-Residence to use https://truststore.rtfd.io/#using-truststore-with-aiohttp to pre-configure the CA chain. ( It also explicitly explains that setting up the cert store is something to be done in applications and not in libraries/frameworks. Hopefully, PEP 543 resurrection will also get back on track (I noticed that @woodruffw started https://github.com/trailofbits/tlslib.py, and he usually gets the job done) bringing nicer APIs in this field. |
@doctorpangloss by the way, you don't need an |
Maybe this link can be added to our docs. |
@Dreamsorcerer yep, that was my thinking. Additionally, we may want to document that it's possible to pass |
Here to give a big ++ to everything @webknjaz said, applications shouldn't be carrying around their own certificate bundles since it's only another layer of headache for operations to keep up-to-date. Delegating to the system is what all other pieces of software do, so Python applications should too. Pip got mentioned as well, pip already supports using Truststore (recent versions with |
Yes, I thought the same, but that's what I appreciate all the attention to the issue, thank you. I have also raised the issue with the Windows Containers team. Ultimately, the reason To summarize, |
Related to #955 To a certain extent, this ticket simply means that One resolution is shown in the Python code here: microsoft/Windows-Containers#503 (comment) which will essentially use Another solution is the equivalent of installing Hopefully people who find this ticket with various ssl verify errors will encourage the aiohttp maintainers to reconsider this position from a practical point of view. The only solution right now is using certifi. |
Describe the bug
Making an aiohttp request will fail in a Windows Containers on Windows (WCOW) container. It ought to fail on all completely clean, newly booted versions of bare metal Windows 2022.
This is related to microsoft/Windows-Containers#503
The root cause is that Windows containers, like all Windows 2022 images, do not have an equivalent of
ca-certificates
, the certificate store on Windows does not look like a browser's certificate bundle.To Reproduce
https
URL.certifi
as the ssl context (this example makes sense forfsspec
, which expects anasync
method andClientSession
, but the docs provide an example that make sense for other libraries):curl -I
the URL in the container's shell.This will not reproduce using
docker run
, because docker mounts something from the host into the container which propagates the side effects ofcurl -I
.Expected behavior
aiohttp
should behave normally on Windows containers, i.e., on clean copies of Windows.For the most part,
aiohttp
has been working on Windows because in a desktop environment, enough side effects have occurred (i.e. calls likecurl
) to have fixedaiohttp
all this time.Logs/tracebacks
Python Version
aiohttp Version
multidict Version
yarl Version
OS
Windows 2022 Server
Related component
Client
Additional context
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: