[New-bugs-announce] [issue39194] asyncio.open_connection returns a closed client when server fails to authenticate client certificate

Jonathan Martin report at bugs.python.org
Thu Jan 2 10:09:12 EST 2020 

New submission from Jonathan Martin <jonathan.martin at marss.com>:

I'm trying to use SSL to validate clients connecting a an asyncio socket server by specifying CERT_REQUIRED and giving a `cafile` containing the client certificate to allow. client and server code attached.

Certificates are generated with:

openssl req -x509 -newkey rsa:2048 -keyout client.key -nodes -out client.cert -sha256 -days 100

openssl req -x509 -newkey rsa:2048 -keyout server.key -nodes -out server.cert -sha256 -days 100

Observed behavior with python 3.7.5 and openSSL 1.1.1d
------------------------------------------------------

When the client tries to connect without specifying a certificate, the call to asyncio.open_connection succeeds, but the received socket is closed right away, or to be more exact an EOF is received.

Observed behavior with python 3.7.4 and openSSL 1.0.2t
------------------------------------------------------

When the client tries to connect without specifying a certificate, the call to asyncio.open_connection fails.

Expected behavior
-----------------

I'm not sure which behavior is to be considered the expected one, although I would prefer to connection to fail directly instead of returning a dead client. Wouldn't it be better to have only one behavior?

Note that when disabling TLSv1.3, the connection does fail to open:
ctx.maximum_version = ssl.TLSVersion.TLSv1_2

This can be reproduces on all latest releases of 3.6, 3.7, and 3.8 (which all have openssl 1.1.1d in my case)

----------
assignee: christian.heimes
components: SSL, asyncio
files: example_code.py
messages: 359200
nosy: Jonathan Martin, asvetlov, christian.heimes, yselivanov
priority: normal
severity: normal
status: open
title: asyncio.open_connection returns a closed client when server fails to authenticate client certificate
type: behavior
versions: Python 3.6, Python 3.7, Python 3.8
Added file: https://bugs.python.org/file48824/example_code.py

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue39194>
_______________________________________

More information about the New-bugs-announce mailing list