How do I authenticate AsyncIO client with certs (mTLS)

[bhakta0007]

I am using python-socketio async client.
My server endpoint is moving to WSS and is expecting the client to pass in a certificate (mTLS).

Is there an example on how to do this.

I tried the below snippet, but it fails with SSL error

loop = asyncio.get_event_loop()
ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_ctx.load_cert_chain("/tmp/client.crt", "/tmp/client.key")
conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
cs = aiohttp.ClientSession(connector=conn)
sio = socketio.AsyncClient(http_session=cs, ssl_verify=False, logger=True, engineio_logger=True)

results in:

# python ws.py

ws.py:27: DeprecationWarning: ssl_context is deprecated, use ssl=context instead
  conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
ws.py:28: DeprecationWarning: The object should be created from async function
  cs = aiohttp.ClientSession(connector=conn)
setting sio to <socketio.asyncio_client.AsyncClient object at 0x7f19cccff048>
2022-09-18 15:18:05 INFO     Try to connect to wss://mtls-nginx.local:4528
2022-09-18 15:18:06 ERROR    Error connect to server: Unexpected status code 400 in server response
2022-09-18 15:18:06 INFO     Try re-connect in 5 seconds
Traceback (most recent call last):

versions:

certifi==2020.12.5
python-engineio==4.3.2
python-socketio==5.6.0
websockets==8.0

Server is nginx acting as a reverse-proxy to asyncio server. The request is not reaching the server - failing cert validation at nginx - this makes me believe that my code is not passing the certs correctly?

Any pointers/thoughts?

[miguelgrinberg]

This is really a question for the aiohttp project, since that is where the SSL configuration is applied, not in this project. I honestly do not know what the correct syntax is, I have never used client certs for authentication.

The response from your server is 400 though, so it doesn't look like an authentication problem, unless nginx is somehow returning incorrect status codes, which is unlikely.

[bhakta0007]

you are right on the 400 part - i am trying to get more information from the server to know the reason for the error. Client side log of the response shows 400 Bad Request, I see the same error even when I give a totally invalid cert/key combination.

Let me get more logs from the server side

[bhakta0007]

I did a test, I ran a simple asyncio program to test this:

import aiohttp
import asyncio
import ssl

url = "https://mtls-nginx.local:4528/socket.io/?transport=polling&EIO=4&t=1663518677.7204537"

async def main():
    ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
    ssl_ctx.load_cert_chain("/tmp/client.crt", "/tmp/client.key")
    conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
    cs = aiohttp.ClientSession(connector=conn)
    async with cs:
        async with cs.get(url) as resp:
            print(resp.status)
            print(await resp.text())

asyncio.run(main())

And this runs fine:

# python at.py
at.py:11: DeprecationWarning: ssl_context is deprecated, use ssl=context instead
  conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
200
0{"sid":"iCZC5m_2PDk7ODAZACjP","upgrades":["websocket"],"pingTimeout":20000,"pingInterval":25000}

In fact I used a similar URL that the socketio was trying to access:
So it looks like the cert + endpoint combination is fine.

added more instrumentation to engineio/asyncio_client.py to dump the response text when the socketio program tries to connect and this is what I see:

python ws.py
2022-09-18 16:33:10 DEBUG    Using selector: EpollSelector
ws.py:28: DeprecationWarning: ssl_context is deprecated, use ssl=context instead
  conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
ws.py:29: DeprecationWarning: The object should be created from async function
  cs = aiohttp.ClientSession(connector=conn)
setting sio to <socketio.asyncio_client.AsyncClient object at 0x7ffbc46ce080>
2022-09-18 16:33:10 INFO     hostAgent: started..
2022-09-18 16:33:10 INFO     Start Agent
2022-09-18 16:33:10 INFO     Try to connect to wss://mtls-nginx.local:4528
2022-09-18 16:33:10 INFO     Attempting polling connection to https://mtls-nginx.local:4528/socket.io/?transport=polling&EIO=4
2022-09-18 16:33:11 ERROR    Error connect to server: Unexpected status code 400 in server response <html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>

So its a cert issue, I need to figure out why the certs are not getting passed through.

[bhakta0007]

Digging further, I found this

ssl_verify – True to verify SSL certificates, or False to skip SSL certificate verification, allowing connections to servers with self signed certificates. The default is True.

I had set ssl_verify = False : reason being my server cert is self signed and I didn't want to introduce CA and verification at this point. My goal was just to pass the client cert and accept any server cert.

Just to see what happens, I set ssl_verify=True and it started working.. The client is now able to connect to the nginx with the end-to-end path working.

So it apears that ssl_verify=False has some bearing on the client certs not being sent to the server - this shouldn't be the case?

[miguelgrinberg]

Oh, I see. Yeah, the problem is that ssl_verify=False creates an SSL context configured to bypass cert validation. This is meant to be used when you do not provide an SSL context. If you provide your own context, then you have full control and can configure everything yourself. I'll make the client raise an exception when both options are provided together, since it does not make sense to do that.

[bhakta0007]

If ssl_verify=True, then how do we specify a ca file in case the cert is self signed?

I am wondering how it worked for my case without specifying the ca file anywhere.

[miguelgrinberg]

Your ssl context is all there is. If you don't pass ssl_verify=False, then this package doesn't do anything related to ssl, it just passes your context to aiohttp and assume you know what you are doing. If the server cert wasn't being verified then your context must have been configured to skip validation.

[bhakta0007]

Got it.. thanks for the quick response

[bhakta0007]

Can we add this to the documentation as an example usage

[pls feel free to edit the contents]

Using client certificates to establish mTLS session with server and authenticating self signed server certificates:

loop = asyncio.get_event_loop()

# The assumption here is that the client needs to present valid certs in order to connect to the server
# the client certs are available at some location
# This is the wss:// case with additional client certificate validation (mTLS - or mutual TLS)

# Optionally, we can authenticate the server cert (recommended)
authenticate_server = True

if authenticate_server:
    ssl_ctx = ssl.create_default_context()
    # if server is using a trusted authority then we don't need to load verify locations.
    # However - if the server is using a self signed certificate, we need to provide the CA crt
    # so the server response can be validated
    ssl_ctx.load_verify_locations("/path/to/server_ca.crt")
else:
    # this will only send client cert, but ignore validating Server certificate
    ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)

# Load the client cert chain. This will be sent to the server
ssl_ctx.load_cert_chain("/path/client.crt", "/path/to/client.key")
conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
cs = aiohttp.ClientSession(connector=conn)
sio = socketio.AsyncClient(http_session=cs, ssl_verify=True)

b.t.w: I can send an edit to the doc as well , and you can review it. let me know?

[miguelgrinberg]

Thanks for the detailed code. I'll look into adding this to the docs. I will need to do some additional work because for consistency the non-asyncio client will need to be covered as well. Also the case of only server cert, which isn't covered in your example.

[bhakta0007]

I can write up all the combinations - I need some time.

[bhakta0007]

Async client case:

1. Default SIO client
# Create the sio client. This will work for both ws:// and wss:// case.
# for wss:// case the server must present a certificate that is trusted by the client's ca certificate

sio = socketio.AsyncClient()


2. SIO client with custom http_session layer

# the SSL context can be customized - in the following cases
# 1. Server is presenting a self signed certificate.
# 2. Server is expecting a client certificate

# if the purpose is just to send the client cert, but ignore validating the server cert (for self signed certs)

ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_ctx.load_cert_chain("/path/to/client.crt", "/path/to/client.key")


# If server is sending a self signed cert and you have the CA to verify the server cert (but do not want to add it to system's tursted CA)
ssl_ctx = ssl.create_default_context() 
ssl_ctx.load_verify_locations(verify)

use this to create the http_session


conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
cs = aiohttp.ClientSession(connector=conn)
sio = socketio.AsyncClient(http_session=cs, ssl_verify=True)


# If server is sending a self signed cert and you have the CA to verify the server cert (but do not want to add it to system's tursted CA)
# Note: you can combine this with load_cert_chain as shown above to add client certs
ssl_ctx = ssl.create_default_context()
ssl_ctx.load_verify_locations("/path/to/server_verify.ca")

Sync client case:


1. Default SIO client
# Create the sio client. This will work for both ws:// and wss:// case.
# for wss:// case the server must present a certificate that is trusted by the client's ca certificate

sio = socketio.Client()

2. SIO client with custom http_session layer

# the SSL context can be customized - in the following cases
# 1. Server is presenting a self signed certificate.
# 2. Server is expecting a client certificate
session = requests.Session()
session.verify = "/path/to/server_verify.ca"
session.cert = ("path/to/client.crt", "/path/to/client.key")


# if the purpose is just to send the client cert, but ignore validating the server cert (for self signed certs)
session = requests.Session()
session.cert = ("path/to/client.crt", "/path/to/client.key")
sio = socketio.Client(http_session=session)

# If server is sending a self signed cert and you have the CA to verify the server cert (but do not want to add it to system's tursted CA)
session.verify = "/path/to/server_verify.ca"

sio = socketio.Client(http_session=session)

[miguelgrinberg]

Thank you so much for collecting all these examples, this saved me a lot of time. I have included this information in the documentation now. Thanks again!