Issue46156
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2021-12-22 19:02 by lkraav, last changed 2022-04-11 14:59 by admin.
Messages (3) | |||
---|---|---|---|
msg409050 - (view) | Author: (lkraav) | Date: 2021-12-22 19:02 | |
Problems emerged when Requests phased out PyOpenSSL as their default backend https://github.com/psf/requests/blob/main/HISTORY.md#2240-2020-06-17 Suddenly my script wasn't able to connect to a remote server that it had been working with for years. All connection attempts with Python built-in SSL module, with various certificate or TLS configurations tested, result in a blunt ConnectionResetError during `do_handshake()` This leads me to believe Python SSL module is maybe incompatible [with some IIS thing] in some perhaps fixable way, because going with PyOpenSSL backend via `urllib3.contrib.pyopenssl.inject_into_urllib3()` I can provide the real server name in a private email if any maintainers is interested in doing a debug run in some more thorough way that I'm unable to, let me know. Example test: ``` $ ipython Python 3.9.9 (main, Dec 21 2021, 17:21:49) Type 'copyright', 'credits' or 'license' for more information IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help. In [1]: import ssl In [2]: context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) In [3]: import socket In [4]: context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT, verify_mode=ssl.CERT_NONE) In [5]: conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="webapi.remote") In [6]: conn.connect(("webapi.remote", 52100)) --------------------------------------------------------------------------- ConnectionResetError Traceback (most recent call last) <ipython-input-6-f778062c5e51> in <module> ----> 1 conn.connect(("webapi.remote", 52100)) /usr/lib/python3.9/ssl.py in connect(self, addr) 1340 """Connects to remote ADDR, and then wraps the connection in 1341 an SSL channel.""" -> 1342 self._real_connect(addr, False) 1343 1344 def connect_ex(self, addr): /usr/lib/python3.9/ssl.py in _real_connect(self, addr, connect_ex) 1331 self._connected = True 1332 if self.do_handshake_on_connect: -> 1333 self.do_handshake() 1334 return rc 1335 except (OSError, ValueError): /usr/lib/python3.9/ssl.py in do_handshake(self, block) 1307 if timeout == 0.0 and block: 1308 self.settimeout(None) -> 1309 self._sslobj.do_handshake() 1310 finally: 1311 self.settimeout(timeout) ConnectionResetError: [Errno 104] Connection reset by peer ``` |
|||
msg409052 - (view) | Author: Christian Heimes (christian.heimes) * | Date: 2021-12-22 20:03 | |
I need more information to diagnose the issue. Could you please provide: - your operating system and vendor/distribution - your OpenSSL version (ssl.OPENSSL_VERSION) - how did you install Python (self-compiled, pyenv, system Python)? - how did you install PyOpenSSL and cryptography? - the full output of: openssl s_client -connect webapi.remote:52100 |
|||
msg409140 - (view) | Author: (lkraav) | Date: 2021-12-24 11:47 | |
> I need more information to diagnose the issue. Could you please provide: > - your operating system and vendor/distribution Gentoo, so rolling, but 20 years of maintenance experience. > - your OpenSSL version (ssl.OPENSSL_VERSION) $ python Python 3.9.9 (main, Dec 21 2021, 17:21:49) [GCC 10.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. @>>> import ssl @>>> print(ssl.OPENSSL_VERSION) OpenSSL 1.1.1l 24 Aug 2021 > - how did you install Python (self-compiled, pyenv, system Python)? System Python. On Gentoo, features configuration revolve around USE flags, but I don't have anything curious built with "gdbm ncurses readline sqlite ssl xml" being active: $ eix dev-lang/python$ [U] dev-lang/python Available versions: ... (3.9) 3.9.9^t{xpak} ... {berkdb bluetooth build examples gdbm hardened libedit lto +ncurses pgo +readline +sqlite +ssl test tk verify-sig wininst +xml ELIBC="uclibc"} Installed versions: 3.9.9(3.9)^t{xpak}(17:22:24 21.12.2021)(gdbm ncurses readline sqlite ssl xml -bluetooth -build -examples -hardened -lto -pgo -test -tk -verify-sig -wininst) Homepage: https://www.python.org/ Description: An interpreted, interactive, object-oriented programming language > - how did you install PyOpenSSL and cryptography? Regular system package manager install $ eix pyopenssl [I] dev-python/pyopenssl Available versions: 20.0.1^t{xpak} {doc test PYTHON_TARGETS="pypy3 python3_8 python3_9 python3_10"} Installed versions: 20.0.1^t{xpak}(11:43:07 03.06.2021)(-doc -test PYTHON_TARGETS="python3_9 -pypy3 -python3_8 -python3_10") Homepage: https://www.pyopenssl.org/ https://pypi.org/project/pyOpenSSL/ https://github.com/pyca/pyopenssl/ Description: Python interface to the OpenSSL library $ eix cryptography [I] dev-python/cryptography Available versions: 3.4.7-r2^t{xpak} **36.0.0^t {debug test PYTHON_TARGETS="pypy3 python3_8 python3_9 python3_10"} Installed versions: 3.4.7-r2^t{xpak}(16:35:10 21.12.2021)(-test PYTHON_TARGETS="python3_9 -pypy3 -python3_8 -python3_10") Homepage: https://github.com/pyca/cryptography/ https://pypi.org/project/cryptography/ Description: Library providing cryptographic recipes and primitives > - the full output of: openssl s_client -connect webapi.remote:52100 $ openssl s_client -connect webapi.remote:52100 CONNECTED(00000003) depth=0 CN = webapi.remote verify error:num=18:self signed certificate verify return:1 depth=0 CN = webapi.remote verify return:1 --- Certificate chain 0 s:CN = webapi.remote i:CN = webapi.remote --- Server certificate -----BEGIN CERTIFICATE----- <cut> -----END CERTIFICATE----- subject=CN = webapi.remote issuer=CN = webapi.remote --- No client certificate CA names sent Peer signing digest: SHA1 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1254 bytes and written 502 bytes Verification error: self signed certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 27060000127E5AA837E96D63F5DE532C53FAD1D5C034CBF3D305B7978E9636A0 Session-ID-ctx: Master-Key: FAE8DE30BF627E7F02F8B4AA856075675FAF3A92365A1E9E8041F799E29CE809749B35514065255C62F0D449405C02B8 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1640346190 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: yes --- DONE |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:59:53 | admin | set | github: 90314 |
2021-12-24 11:47:37 | lkraav | set | messages: + msg409140 |
2021-12-22 20:03:13 | christian.heimes | set | messages: + msg409052 |
2021-12-22 19:02:14 | lkraav | create |