New submission from Jonathan Martin <jonathan.mar...@marss.com>:
I'm trying to use SSL to validate clients connecting a an asyncio socket server by specifying CERT_REQUIRED and giving a `cafile` containing the client certificate to allow. client and server code attached. Certificates are generated with: openssl req -x509 -newkey rsa:2048 -keyout client.key -nodes -out client.cert -sha256 -days 100 openssl req -x509 -newkey rsa:2048 -keyout server.key -nodes -out server.cert -sha256 -days 100 Observed behavior with python 3.7.5 and openSSL 1.1.1d ------------------------------------------------------ When the client tries to connect without specifying a certificate, the call to asyncio.open_connection succeeds, but the received socket is closed right away, or to be more exact an EOF is received. Observed behavior with python 3.7.4 and openSSL 1.0.2t ------------------------------------------------------ When the client tries to connect without specifying a certificate, the call to asyncio.open_connection fails. Expected behavior ----------------- I'm not sure which behavior is to be considered the expected one, although I would prefer to connection to fail directly instead of returning a dead client. Wouldn't it be better to have only one behavior? Note that when disabling TLSv1.3, the connection does fail to open: ctx.maximum_version = ssl.TLSVersion.TLSv1_2 This can be reproduces on all latest releases of 3.6, 3.7, and 3.8 (which all have openssl 1.1.1d in my case) ---------- assignee: christian.heimes components: SSL, asyncio files: example_code.py messages: 359200 nosy: Jonathan Martin, asvetlov, christian.heimes, yselivanov priority: normal severity: normal status: open title: asyncio.open_connection returns a closed client when server fails to authenticate client certificate type: behavior versions: Python 3.6, Python 3.7, Python 3.8 Added file: https://bugs.python.org/file48824/example_code.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue39194> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
