Bug#991979: python3: SSL errors trigger asyncio loop exceptions

Sat, 07 Aug 2021 04:21:16 -0700 

Package: python3
Version: 3.7.3-1
Severity: normal

Dear Maintainer,

I noticed an issue using aiohttp with Python 3.7.3 in Debian Buster.
When a request fails due to SSL certificate problems there are
asyncio loop exceptions triggered — although my code is wrapped in a
try-except-block, mwe:

    import aiohttp
    import asyncio

    URI = 'https://www.debian.org/'

    async def main():
        print(">>BEGIN")
        try:
            async with aiohttp.request('GET', URI) as resp:
                data = await resp.text()
        except BaseException as e:
            print(f"ERROR: {e!r}")
        print(">>DONE")

    if __name__ == '__main__':
        asyncio.run(main())

Running this code with failing SSL, e.g. as `faketime 2025-01-01
python3 ./testssl.py` triggers loop exceptions that completely bypass
my exception handler:

    >>BEGIN
    SSL handshake failed on verifying the certificate
    protocol: <asyncio.sslproto.SSLProtocol object at 0x7f162af8fe48>
    transport: <_SelectorSocketTransport fd=8 read=polling write=<idle, 
bufsize=0>>
    Traceback (most recent call last):
      File "/usr/lib/python3.7/asyncio/sslproto.py", line 625, in 
_on_handshake_complete
        raise handshake_exc
      File "/usr/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
        self._sslobj.do_handshake()
      File "/usr/lib/python3.7/ssl.py", line 763, in do_handshake
        self._sslobj.do_handshake()
    ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed:
        certificate has expired (_ssl.c:1056)
    SSL error in data received
    ...
    ERROR: ClientConnectorCertificateError()
    >>DONE
    Unclosed client session
    client_session: <aiohttp.client.ClientSession object at 0x7f162b614518>

Moreover, the stack traces are not related to my code at all and the
"Unclosed client session" message indicates that the cleanup code in
the `async with` statement did not run either.

Using Python 3.9.2 with aiohttp 3.7.4-1 works like intended in this
case: There is only the message from my exception handler:

    >>BEGIN
    ERROR: ClientConnectorCertificateError(ConnectionKey(host='www.debian.org', 
port=443,
        is_ssl=True, ssl=None, proxy=None, proxy_auth=None, 
proxy_headers_hash=None),
        SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify
        failed: certificate has expired (_ssl.c:1123)'))
    >>DONE

Since the code in the stack trace from the loop's handler above
indicates an issue in Python itself, I reported against python3,
however, I am not entirely sure if this is a problem in Python or in
aiohttp.

Best,
Maximilian

Reply via email to