search

python / cpython

The Python programming language
https://www.python.org
Other
63.41k stars 30.36k forks source link

3.9.9: python built-in SSL module unable to connect to an IIS server (104 Connection reset by peer), but pyopenssl works fine #90314

Open 049c6544-1fd4-4f18-987c-802effd43681 opened 2 years ago

049c6544-1fd4-4f18-987c-802effd43681 commented 2 years ago
BPO 46156
Nosy @tiran

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields: ```python assignee = 'https://github.com/tiran' closed_at = None created_at = labels = ['expert-SSL', 'type-bug', '3.9'] title = '3.9.9: python built-in SSL module unable to connect to an IIS server (104 Connection reset by peer), but pyopenssl works fine' updated_at = user = 'https://bugs.python.org/lkraav' ``` bugs.python.org fields: ```python activity = actor = 'lkraav' assignee = 'christian.heimes' closed = False closed_date = None closer = None components = ['SSL'] creation = creator = 'lkraav' dependencies = [] files = [] hgrepos = [] issue_num = 46156 keywords = [] message_count = 3.0 messages = ['409050', '409052', '409140'] nosy_count = 2.0 nosy_names = ['christian.heimes', 'lkraav'] pr_nums = [] priority = 'normal' resolution = None stage = None status = 'open' superseder = None type = 'behavior' url = 'https://bugs.python.org/issue46156' versions = ['Python 3.9'] ```

049c6544-1fd4-4f18-987c-802effd43681 commented 2 years ago

Problems emerged when Requests phased out PyOpenSSL as their default backend https://github.com/psf/requests/blob/main/HISTORY.md#2240-2020-06-17

Suddenly my script wasn't able to connect to a remote server that it had been working with for years.

All connection attempts with Python built-in SSL module, with various certificate or TLS configurations tested, result in a blunt ConnectionResetError during do_handshake()

This leads me to believe Python SSL module is maybe incompatible [with some IIS thing] in some perhaps fixable way, because going with PyOpenSSL backend via urllib3.contrib.pyopenssl.inject_into_urllib3()

I can provide the real server name in a private email if any maintainers is interested in doing a debug run in some more thorough way that I'm unable to, let me know.

Example test:

$ ipython
Python 3.9.9 (main, Dec 21 2021, 17:21:49) 
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import ssl

In [2]: context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

In [3]: import socket

In [4]: context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT, verify_mode=ssl.CERT_NONE)

In [5]: conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="webapi.remote")

In [6]: conn.connect(("webapi.remote", 52100))
---------------------------------------------------------------------------
ConnectionResetError                      Traceback (most recent call last)
<ipython-input-6-f778062c5e51> in <module>
----> 1 conn.connect(("webapi.remote", 52100))

/usr/lib/python3.9/ssl.py in connect(self, addr)
   1340         """Connects to remote ADDR, and then wraps the connection in
   1341         an SSL channel."""
-> 1342         self._real_connect(addr, False)
   1343 
   1344     def connect_ex(self, addr):

/usr/lib/python3.9/ssl.py in _real_connect(self, addr, connect_ex)
   1331                 self._connected = True
   1332                 if self.do_handshake_on_connect:
-> 1333                     self.do_handshake()
   1334             return rc
   1335         except (OSError, ValueError):

/usr/lib/python3.9/ssl.py in do_handshake(self, block)
   1307             if timeout == 0.0 and block:
   1308                 self.settimeout(None)
-> 1309             self._sslobj.do_handshake()
   1310         finally:
   1311             self.settimeout(timeout)

ConnectionResetError: [Errno 104] Connection reset by peer
tiran commented 2 years ago

I need more information to diagnose the issue. Could you please provide:

049c6544-1fd4-4f18-987c-802effd43681 commented 2 years ago

I need more information to diagnose the issue. Could you please provide:

  • your operating system and vendor/distribution

Gentoo, so rolling, but 20 years of maintenance experience.

  • your OpenSSL version (ssl.OPENSSL_VERSION)
$ python
Python 3.9.9 (main, Dec 21 2021, 17:21:49) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
@>>> import ssl
@>>> print(ssl.OPENSSL_VERSION)
OpenSSL 1.1.1l  24 Aug 2021
  • how did you install Python (self-compiled, pyenv, system Python)?

System Python. On Gentoo, features configuration revolve around USE flags, but I don't have anything curious built with "gdbm ncurses readline sqlite ssl xml" being active:

$ eix dev-lang/python$
[U] dev-lang/python
     Available versions:  
     ...
     (3.9)  3.9.9^t{xpak}
     ...
       {berkdb bluetooth build examples gdbm hardened libedit lto +ncurses pgo +readline +sqlite +ssl test tk verify-sig wininst +xml ELIBC="uclibc"}
     Installed versions:  3.9.9(3.9)^t{xpak}(17:22:24 21.12.2021)(gdbm ncurses readline sqlite ssl xml -bluetooth -build -examples -hardened -lto -pgo -test -tk -verify-sig -wininst)
     Homepage:            https://www.python.org/
     Description:         An interpreted, interactive, object-oriented programming language
  • how did you install PyOpenSSL and cryptography?

Regular system package manager install

$ eix pyopenssl
[I] dev-python/pyopenssl
     Available versions:  20.0.1^t{xpak} {doc test PYTHON_TARGETS="pypy3 python3_8 python3_9 python3_10"}
     Installed versions:  20.0.1^t{xpak}(11:43:07 03.06.2021)(-doc -test PYTHON_TARGETS="python3_9 -pypy3 -python3_8 -python3_10")
     Homepage:            https://www.pyopenssl.org/ https://pypi.org/project/pyOpenSSL/ https://github.com/pyca/pyopenssl/
     Description:         Python interface to the OpenSSL library

$ eix cryptography
[I] dev-python/cryptography
     Available versions:  3.4.7-r2^t{xpak} **36.0.0^t {debug test PYTHON_TARGETS="pypy3 python3_8 python3_9 python3_10"}
     Installed versions:  3.4.7-r2^t{xpak}(16:35:10 21.12.2021)(-test PYTHON_TARGETS="python3_9 -pypy3 -python3_8 -python3_10")
     Homepage:            https://github.com/pyca/cryptography/ https://pypi.org/project/cryptography/
     Description:         Library providing cryptographic recipes and primitives
  • the full output of: openssl s_client -connect webapi.remote:52100
$ openssl s_client -connect webapi.remote:52100                                                                                                                                                   
CONNECTED(00000003)
depth=0 CN = webapi.remote
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = webapi.remote
verify return:1

Certificate chain 0 s:CN = webapi.remote i:CN = webapi.remote --- Server certificate -----BEGIN CERTIFICATE----- \<cut> -----END CERTIFICATE-----

subject=CN = webapi.remote

issuer=CN = webapi.remote

No client certificate CA names sent Peer signing digest: SHA1 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1254 bytes and written 502 bytes Verification error: self signed certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 27060000127E5AA837E96D63F5DE532C53FAD1D5C034CBF3D305B7978E9636A0 Session-ID-ctx: Master-Key: FAE8DE30BF627E7F02F8B4AA856075675FAF3A92365A1E9E8041F799E29CE809749B35514065255C62F0D449405C02B8 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1640346190 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: yes --- DONE

vkyt commented 4 months ago

Has there been any update to this issue? I'm running into a very similar issue with requests on Python 3.10.12; wondering if you were able to resolve the original issue...