asyncio.open_connection returns a closed client when server fails to authenticate client certificate

[JonathanMartin]

BPO	39194
Nosy	@tiran, @asvetlov, @1st1
Files	example_code.py

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2020-01-02.15:09:12.015>
labels = ['type-bug', '3.8', '3.9', '3.10', '3.11', 'expert-asyncio']
title = 'asyncio.open_connection returns a closed client when server fails to authenticate client certificate'
updated_at = <Date 2021-04-21.06:36:33.422>
user = 'https://bugs.python.org/JonathanMartin'

bugs.python.org fields:

activity = <Date 2021-04-21.06:36:33.422>
actor = 'christian.heimes'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['asyncio']
creation = <Date 2020-01-02.15:09:12.015>
creator = 'Jonathan Martin'
dependencies = []
files = ['48824']
hgrepos = []
issue_num = 39194
keywords = []
message_count = 2.0
messages = ['359200', '391489']
nosy_count = 4.0
nosy_names = ['christian.heimes', 'asvetlov', 'yselivanov', 'Jonathan Martin']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue39194'
versions = ['Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']

[JonathanMartin]

I'm trying to use SSL to validate clients connecting a an asyncio socket server by specifying CERT_REQUIRED and giving a cafile containing the client certificate to allow. client and server code attached.

Certificates are generated with:

openssl req -x509 -newkey rsa:2048 -keyout client.key -nodes -out client.cert -sha256 -days 100

openssl req -x509 -newkey rsa:2048 -keyout server.key -nodes -out server.cert -sha256 -days 100

Observed behavior with python 3.7.5 and openSSL 1.1.1d
------------------------------------------------------

When the client tries to connect without specifying a certificate, the call to asyncio.open_connection succeeds, but the received socket is closed right away, or to be more exact an EOF is received.

Observed behavior with python 3.7.4 and openSSL 1.0.2t
------------------------------------------------------

When the client tries to connect without specifying a certificate, the call to asyncio.open_connection fails.

Expected behavior
-----------------

I'm not sure which behavior is to be considered the expected one, although I would prefer to connection to fail directly instead of returning a dead client. Wouldn't it be better to have only one behavior?

Note that when disabling TLSv1.3, the connection does fail to open:
ctx.maximum_version = ssl.TLSVersion.TLSv1_2

This can be reproduces on all latest releases of 3.6, 3.7, and 3.8 (which all have openssl 1.1.1d in my case)

[tiran]

I'm unassigning myself. This seems to be an asyncio-specific behavior.

[RouquinBlanc]

This is still the case in python 3.9 and 3.10. Until now we are using the following option to go around the issue:

    sc = ssl.create_default_context(...)
    sc.options |= ssl.OP_NO_TLSv1_3

But in python 3.10 the use of this flag is deprecated...