This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: 3.9.9: python built-in SSL module unable to connect to an IIS server (104 Connection reset by peer), but pyopenssl works fine
Type: behavior Stage:
Components: SSL Versions: Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, lkraav
Priority: normal Keywords:

Created on 2021-12-22 19:02 by lkraav, last changed 2022-04-11 14:59 by admin.

Messages (3)
msg409050 - (view) Author: (lkraav) Date: 2021-12-22 19:02 
Problems emerged when Requests phased out PyOpenSSL as their default backend https://github.com/psf/requests/blob/main/HISTORY.md#2240-2020-06-17

Suddenly my script wasn't able to connect to a remote server that it had been working with for years.

All connection attempts with Python built-in SSL module, with various certificate or TLS configurations tested, result in a blunt ConnectionResetError during `do_handshake()`

This leads me to believe Python SSL module is maybe incompatible [with some IIS thing] in some perhaps fixable way, because going with PyOpenSSL backend via `urllib3.contrib.pyopenssl.inject_into_urllib3()`

I can provide the real server name in a private email if any maintainers is interested in doing a debug run in some more thorough way that I'm unable to, let me know.

Example test:

```
$ ipython
Python 3.9.9 (main, Dec 21 2021, 17:21:49) 
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import ssl

In [2]: context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

In [3]: import socket

In [4]: context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT, verify_mode=ssl.CERT_NONE)

In [5]: conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="webapi.remote")

In [6]: conn.connect(("webapi.remote", 52100))
---------------------------------------------------------------------------
ConnectionResetError                      Traceback (most recent call last)
<ipython-input-6-f778062c5e51> in <module>
----> 1 conn.connect(("webapi.remote", 52100))

/usr/lib/python3.9/ssl.py in connect(self, addr)
   1340         """Connects to remote ADDR, and then wraps the connection in
   1341         an SSL channel."""
-> 1342         self._real_connect(addr, False)
   1343 
   1344     def connect_ex(self, addr):

/usr/lib/python3.9/ssl.py in _real_connect(self, addr, connect_ex)
   1331                 self._connected = True
   1332                 if self.do_handshake_on_connect:
-> 1333                     self.do_handshake()
   1334             return rc
   1335         except (OSError, ValueError):

/usr/lib/python3.9/ssl.py in do_handshake(self, block)
   1307             if timeout == 0.0 and block:
   1308                 self.settimeout(None)
-> 1309             self._sslobj.do_handshake()
   1310         finally:
   1311             self.settimeout(timeout)

ConnectionResetError: [Errno 104] Connection reset by peer
```
msg409052 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-12-22 20:03 
I need more information to diagnose the issue. Could you please provide:

- your operating system and vendor/distribution
- your OpenSSL version (ssl.OPENSSL_VERSION)
- how did you install Python (self-compiled, pyenv, system Python)?
- how did you install PyOpenSSL and cryptography?
- the full output of: openssl s_client -connect webapi.remote:52100
msg409140 - (view) Author: (lkraav) Date: 2021-12-24 11:47 
> I need more information to diagnose the issue. Could you please provide:
> - your operating system and vendor/distribution

Gentoo, so rolling, but 20 years of maintenance experience.

> - your OpenSSL version (ssl.OPENSSL_VERSION)

$ python
Python 3.9.9 (main, Dec 21 2021, 17:21:49) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
@>>> import ssl
@>>> print(ssl.OPENSSL_VERSION)
OpenSSL 1.1.1l  24 Aug 2021


> - how did you install Python (self-compiled, pyenv, system Python)?

System Python. On Gentoo, features configuration revolve around USE flags, but I don't have anything curious built with "gdbm ncurses readline sqlite ssl xml" being active:

$ eix dev-lang/python$
[U] dev-lang/python
     Available versions:  
     ...
     (3.9)  3.9.9^t{xpak}
     ...
       {berkdb bluetooth build examples gdbm hardened libedit lto +ncurses pgo +readline +sqlite +ssl test tk verify-sig wininst +xml ELIBC="uclibc"}
     Installed versions:  3.9.9(3.9)^t{xpak}(17:22:24 21.12.2021)(gdbm ncurses readline sqlite ssl xml -bluetooth -build -examples -hardened -lto -pgo -test -tk -verify-sig -wininst)
     Homepage:            https://www.python.org/
     Description:         An interpreted, interactive, object-oriented programming language


> - how did you install PyOpenSSL and cryptography?

Regular system package manager install

$ eix pyopenssl
[I] dev-python/pyopenssl
     Available versions:  20.0.1^t{xpak} {doc test PYTHON_TARGETS="pypy3 python3_8 python3_9 python3_10"}
     Installed versions:  20.0.1^t{xpak}(11:43:07 03.06.2021)(-doc -test PYTHON_TARGETS="python3_9 -pypy3 -python3_8 -python3_10")
     Homepage:            https://www.pyopenssl.org/ https://pypi.org/project/pyOpenSSL/ https://github.com/pyca/pyopenssl/
     Description:         Python interface to the OpenSSL library

$ eix cryptography
[I] dev-python/cryptography
     Available versions:  3.4.7-r2^t{xpak} **36.0.0^t {debug test PYTHON_TARGETS="pypy3 python3_8 python3_9 python3_10"}
     Installed versions:  3.4.7-r2^t{xpak}(16:35:10 21.12.2021)(-test PYTHON_TARGETS="python3_9 -pypy3 -python3_8 -python3_10")
     Homepage:            https://github.com/pyca/cryptography/ https://pypi.org/project/cryptography/
     Description:         Library providing cryptographic recipes and primitives

> - the full output of: openssl s_client -connect webapi.remote:52100

$ openssl s_client -connect webapi.remote:52100                                                                                                                                                   
CONNECTED(00000003)
depth=0 CN = webapi.remote
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = webapi.remote
verify return:1
---
Certificate chain
 0 s:CN = webapi.remote
   i:CN = webapi.remote
---
Server certificate
-----BEGIN CERTIFICATE-----
<cut>
-----END CERTIFICATE-----
subject=CN = webapi.remote

issuer=CN = webapi.remote

---
No client certificate CA names sent
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1254 bytes and written 502 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 27060000127E5AA837E96D63F5DE532C53FAD1D5C034CBF3D305B7978E9636A0
    Session-ID-ctx: 
    Master-Key: FAE8DE30BF627E7F02F8B4AA856075675FAF3A92365A1E9E8041F799E29CE809749B35514065255C62F0D449405C02B8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1640346190
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
DONE
History
Date User Action Args
2022-04-11 14:59:53adminsetgithub: 90314
2021-12-24 11:47:37lkraavsetmessages: + msg409140
2021-12-22 20:03:13christian.heimessetmessages: + msg409052
2021-12-22 19:02:14lkraavcreate