I'm trying to use SSL to validate clients connecting a an asyncio socket server by specifying CERT_REQUIRED and giving a `cafile` containing the client certificate to allow. client and server code attached.
Certificates are generated with:
openssl req -x509 -newkey rsa:2048 -keyout client.key -nodes -out client.cert -sha256 -days 100
openssl req -x509 -newkey rsa:2048 -keyout server.key -nodes -out server.cert -sha256 -days 100
Observed behavior with python 3.7.5 and openSSL 1.1.1d
------------------------------------------------------
When the client tries to connect without specifying a certificate, the call to asyncio.open_connection succeeds, but the received socket is closed right away, or to be more exact an EOF is received.
Observed behavior with python 3.7.4 and openSSL 1.0.2t
------------------------------------------------------
When the client tries to connect without specifying a certificate, the call to asyncio.open_connection fails.
Expected behavior
-----------------
I'm not sure which behavior is to be considered the expected one, although I would prefer to connection to fail directly instead of returning a dead client. Wouldn't it be better to have only one behavior?
Note that when disabling TLSv1.3, the connection does fail to open:
ctx.maximum_version = ssl.TLSVersion.TLSv1_2
This can be reproduces on all latest releases of 3.6, 3.7, and 3.8 (which all have openssl 1.1.1d in my case)
|