SSL with closed connections #3052

Usever · 2018-06-04T18:45:51Z

Long story short

Receiving strange errors when bots are connecting to my SSL (HTTPS) server without sending any data and disconnecting afterwards.
SSL protocol handler inside aiohttp shows unexpected errors. This never happens to plain HTTP connections.

Expected behaviour

No messages received (as for HTTP protocol).

Actual behaviour

Multiple errors:
task: <Task pending coro=<RequestHandler.start() done, defined at C:\Program Files\Python36\lib\site-packages\aiohttp\web_protocol.py:342> wait_for=<Future pending cb=[<TaskWakeupMethWrapper object at 0x000001E0FBF59D98>()]>>
Task was destroyed but it is pending!

Steps to reproduce

Run simple example:

import asyncio  
import aiohttp.web
import ssl

async def fetch_page():
    while True:
        reader, writer = await asyncio.open_connection('127.0.0.1', 443)
        writer.close()
    
async def request_handler(request: aiohttp.web.BaseRequest):
    await request.read()
    return aiohttp.web.Response(status=200, content_type='text/html')

async def start_server():
    ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
    ssl_context.check_hostname = False
    ssl_context.load_cert_chain('any.crt', 'any.key')

    server = aiohttp.web.Server(request_handler)
    await loop.create_server(server, '127.0.0.1', 443, ssl=ssl_context) # removing ssl=ssl_context disables SSL and fixes the bug
    await fetch_page()

if __name__ == '__main__':  
    loop = asyncio.get_event_loop()
    loop.run_until_complete(asyncio.gather(asyncio.Task(start_server())))

Your environment

Checked both Windows 10 and CentOS 7, aiohttp 3.0.4 and 3.3.0

The text was updated successfully, but these errors were encountered:

asvetlov · 2018-06-05T12:56:34Z

Do you have additional logs? PYTHONASYNCIODEBUG mode can help.
wait_for=... surprises me, aiohttp doesn't use this function at all.

Usever · 2018-06-07T09:41:37Z

The following output can be seen in debugging mode:

Executing <Task pending coro=<start_server() running at C:\reproduce.py:31> wait_for=<_GatheringFuture pending cb=[<Task
WakeupMethWrapper object at 0x000001CB1FBC7B28>()] created at C:\Program Files\Python36\lib\asyncio\tasks.py:549> cb=[ga
ther.<locals>._done_callback(0)() at C:\Program Files\Python36\lib\asyncio\tasks.py:616] created at C:\reproduce.py:36>
took 0.172 seconds
Error on transport creation for incoming connection
handle_traceback: Handle created at (most recent call last):
  File "C:\reproduce.py", line 36, in <module>
    loop.run_until_complete(asyncio.gather(asyncio.Task(start_server())))
  File "C:\Program Files\Python36\lib\asyncio\base_events.py", line 455, in run_until_complete
    self.run_forever()
  File "C:\Program Files\Python36\lib\asyncio\base_events.py", line 422, in run_forever
    self._run_once()
  File "C:\Program Files\Python36\lib\asyncio\base_events.py", line 1424, in _run_once
    handle._run()
  File "C:\Program Files\Python36\lib\asyncio\events.py", line 145, in _run
    self._callback(*self._args)
  File "C:\Program Files\Python36\lib\asyncio\selector_events.py", line 734, in _read_ready
    keep_open = self._protocol.eof_received()
  File "C:\Program Files\Python36\lib\asyncio\sslproto.py", line 535, in eof_received
    self._wakeup_waiter(ConnectionResetError)
  File "C:\Program Files\Python36\lib\asyncio\sslproto.py", line 453, in _wakeup_waiter
    self._waiter.set_exception(exc)
protocol: <RequestHandler disconnected>
transport: <asyncio.sslproto._SSLProtocolTransport object at 0x000001CB1FC4E2E8>
Traceback (most recent call last):
  File "C:\Program Files\Python36\lib\asyncio\selector_events.py", line 230, in _accept_connection2
    yield from waiter
ConnectionResetError

asvetlov · 2018-06-11T11:21:56Z

Thank you. I can reproduce your problem.

)

yunstanford · 2018-08-13T18:59:05Z

I'm also looking for this fix. any timeline for releasing new version including this patch ? @asvetlov

asvetlov · 2018-08-13T20:01:22Z

Very soon

================== Features -------- - Add type hints (`3049 <https://github.com/aio-libs/aiohttp/pull/3049>`_) - Add ``raise_for_status`` request parameter (`3073 <https://github.com/aio-libs/aiohttp/pull/3073>`_) - Add type hints to HTTP client (`3092 <https://github.com/aio-libs/aiohttp/pull/3092>`_) - Minor server optimizations (`3095 <https://github.com/aio-libs/aiohttp/pull/3095>`_) - Preserve the cause when `HTTPException` is raised from another exception. (`3096 <https://github.com/aio-libs/aiohttp/pull/3096>`_) - Add `close_boundary` option in `MultipartWriter.write` method. Support streaming (`3104 <https://github.com/aio-libs/aiohttp/pull/3104>`_) - Added a ``remove_slash`` option to the ``normalize_path_middleware`` factory. (`3173 <https://github.com/aio-libs/aiohttp/pull/3173>`_) - The class `AbstractRouteDef` is importable from `aiohttp.web`. (`3183 <https://github.com/aio-libs/aiohttp/pull/3183>`_) Bugfixes -------- - Prevent double closing when client connection is released before the last ``data_received()`` callback. (`3031 <https://github.com/aio-libs/aiohttp/pull/3031>`_) - Make redirect with `normalize_path_middleware` work when using url encoded paths. (`3051 <https://github.com/aio-libs/aiohttp/pull/3051>`_) - Postpone web task creation to connection establishment. (`3052 <https://github.com/aio-libs/aiohttp/pull/3052>`_) - Fix ``sock_read`` timeout. (`3053 <https://github.com/aio-libs/aiohttp/pull/3053>`_) - When using a server-request body as the `data=` argument of a client request, iterate over the content with `readany` instead of `readline` to avoid `Line too long` errors. (`3054 <https://github.com/aio-libs/aiohttp/pull/3054>`_) - fix `UrlDispatcher` has no attribute `add_options`, add `web.options` (`3062 <https://github.com/aio-libs/aiohttp/pull/3062>`_) - correct filename in content-disposition with multipart body (`3064 <https://github.com/aio-libs/aiohttp/pull/3064>`_) - Many HTTP proxies has buggy keepalive support. Let's not reuse connection but close it after processing every response. (`3070 <https://github.com/aio-libs/aiohttp/pull/3070>`_) - raise 413 "Payload Too Large" rather than raising ValueError in request.post() Add helpful debug message to 413 responses (`3087 <https://github.com/aio-libs/aiohttp/pull/3087>`_) - Fix `StreamResponse` equality, now that they are `MutableMapping` objects. (`3100 <https://github.com/aio-libs/aiohttp/pull/3100>`_) - Fix server request objects comparison (`3116 <https://github.com/aio-libs/aiohttp/pull/3116>`_) - Do not hang on `206 Partial Content` response with `Content-Encoding: gzip` (`3123 <https://github.com/aio-libs/aiohttp/pull/3123>`_) - Fix timeout precondition checkers (`3145 <https://github.com/aio-libs/aiohttp/pull/3145>`_) Improved Documentation ---------------------- - Add a new FAQ entry that clarifies that you should not reuse response objects in middleware functions. (`3020 <https://github.com/aio-libs/aiohttp/pull/3020>`_) - Add FAQ section "Why is creating a ClientSession outside of an event loop dangerous?" (`3072 <https://github.com/aio-libs/aiohttp/pull/3072>`_) - Fix link to Rambler (`3115 <https://github.com/aio-libs/aiohttp/pull/3115>`_) - Fix TCPSite documentation on the Server Reference page. (`3146 <https://github.com/aio-libs/aiohttp/pull/3146>`_) - Fix documentation build configuration file for Windows. (`3147 <https://github.com/aio-libs/aiohttp/pull/3147>`_) - Remove no longer existing lingering_timeout parameter of Application.make_handler from documentation. (`3151 <https://github.com/aio-libs/aiohttp/pull/3151>`_) - Mention that ``app.make_handler`` is deprecated, recommend to use runners API instead. (`3157 <https://github.com/aio-libs/aiohttp/pull/3157>`_) Deprecations and Removals ------------------------- - Drop ``loop.current_task()`` from ``helpers.current_task()`` (`2826 <https://github.com/aio-libs/aiohttp/pull/2826>`_) - Drop ``reader`` parameter from ``request.multipart()``. (`3090 <https://github.com/aio-libs/aiohttp/pull/3090>`_)

This PR updates [aiohttp](https://pypi.org/project/aiohttp) from **3.3.2** to **3.4.4**. <details> <summary>Changelog</summary> ### 3.4.4 ``` ================== - Fix installation from sources when compiling toolkit is not available (`3241 <https://github.com/aio-libs/aiohttp/pull/3241>`_) ``` ### 3.4.3 ``` ================== - Add ``app.pre_frozen`` state to properly handle startup signals in sub-applications. (`3237 <https://github.com/aio-libs/aiohttp/pull/3237>`_) ``` ### 3.4.2 ``` ================== - Fix ``iter_chunks`` type annotation (`3230 <https://github.com/aio-libs/aiohttp/pull/3230>`_) ``` ### 3.4.1 ``` ================== - Fix empty header parsing regression. (`3218 <https://github.com/aio-libs/aiohttp/pull/3218>`_) - Fix BaseRequest.raw_headers doc. (`3215 <https://github.com/aio-libs/aiohttp/pull/3215>`_) - Fix documentation building on ReadTheDocs (`3221 <https://github.com/aio-libs/aiohttp/pull/3221>`_) ``` ### 3.4.0 ``` ================== Features -------- - Add type hints (`3049 <https://github.com/aio-libs/aiohttp/pull/3049>`_) - Add ``raise_for_status`` request parameter (`3073 <https://github.com/aio-libs/aiohttp/pull/3073>`_) - Add type hints to HTTP client (`3092 <https://github.com/aio-libs/aiohttp/pull/3092>`_) - Minor server optimizations (`3095 <https://github.com/aio-libs/aiohttp/pull/3095>`_) - Preserve the cause when `HTTPException` is raised from another exception. (`3096 <https://github.com/aio-libs/aiohttp/pull/3096>`_) - Add `close_boundary` option in `MultipartWriter.write` method. Support streaming (`3104 <https://github.com/aio-libs/aiohttp/pull/3104>`_) - Added a ``remove_slash`` option to the ``normalize_path_middleware`` factory. (`3173 <https://github.com/aio-libs/aiohttp/pull/3173>`_) - The class `AbstractRouteDef` is importable from `aiohttp.web`. (`3183 <https://github.com/aio-libs/aiohttp/pull/3183>`_) Bugfixes -------- - Prevent double closing when client connection is released before the last ``data_received()`` callback. (`3031 <https://github.com/aio-libs/aiohttp/pull/3031>`_) - Make redirect with `normalize_path_middleware` work when using url encoded paths. (`3051 <https://github.com/aio-libs/aiohttp/pull/3051>`_) - Postpone web task creation to connection establishment. (`3052 <https://github.com/aio-libs/aiohttp/pull/3052>`_) - Fix ``sock_read`` timeout. (`3053 <https://github.com/aio-libs/aiohttp/pull/3053>`_) - When using a server-request body as the `data=` argument of a client request, iterate over the content with `readany` instead of `readline` to avoid `Line too long` errors. (`3054 <https://github.com/aio-libs/aiohttp/pull/3054>`_) - fix `UrlDispatcher` has no attribute `add_options`, add `web.options` (`3062 <https://github.com/aio-libs/aiohttp/pull/3062>`_) - correct filename in content-disposition with multipart body (`3064 <https://github.com/aio-libs/aiohttp/pull/3064>`_) - Many HTTP proxies has buggy keepalive support. Let's not reuse connection but close it after processing every response. (`3070 <https://github.com/aio-libs/aiohttp/pull/3070>`_) - raise 413 "Payload Too Large" rather than raising ValueError in request.post() Add helpful debug message to 413 responses (`3087 <https://github.com/aio-libs/aiohttp/pull/3087>`_) - Fix `StreamResponse` equality, now that they are `MutableMapping` objects. (`3100 <https://github.com/aio-libs/aiohttp/pull/3100>`_) - Fix server request objects comparison (`3116 <https://github.com/aio-libs/aiohttp/pull/3116>`_) - Do not hang on `206 Partial Content` response with `Content-Encoding: gzip` (`3123 <https://github.com/aio-libs/aiohttp/pull/3123>`_) - Fix timeout precondition checkers (`3145 <https://github.com/aio-libs/aiohttp/pull/3145>`_) Improved Documentation ---------------------- - Add a new FAQ entry that clarifies that you should not reuse response objects in middleware functions. (`3020 <https://github.com/aio-libs/aiohttp/pull/3020>`_) - Add FAQ section "Why is creating a ClientSession outside of an event loop dangerous?" (`3072 <https://github.com/aio-libs/aiohttp/pull/3072>`_) - Fix link to Rambler (`3115 <https://github.com/aio-libs/aiohttp/pull/3115>`_) - Fix TCPSite documentation on the Server Reference page. (`3146 <https://github.com/aio-libs/aiohttp/pull/3146>`_) - Fix documentation build configuration file for Windows. (`3147 <https://github.com/aio-libs/aiohttp/pull/3147>`_) - Remove no longer existing lingering_timeout parameter of Application.make_handler from documentation. (`3151 <https://github.com/aio-libs/aiohttp/pull/3151>`_) - Mention that ``app.make_handler`` is deprecated, recommend to use runners API instead. (`3157 <https://github.com/aio-libs/aiohttp/pull/3157>`_) Deprecations and Removals ------------------------- - Drop ``loop.current_task()`` from ``helpers.current_task()`` (`2826 <https://github.com/aio-libs/aiohttp/pull/2826>`_) - Drop ``reader`` parameter from ``request.multipart()``. (`3090 <https://github.com/aio-libs/aiohttp/pull/3090>`_) ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/aiohttp - Changelog: https://pyup.io/changelogs/aiohttp/ - Repo: https://github.com/aio-libs/aiohttp </details>

lock · 2019-10-28T02:02:09Z

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs.
If you feel like there's important points made in this discussion, please include those exceprts into that [new issue].
[new issue]: https://github.com/aio-libs/aiohttp/issues/new

asvetlov added a commit that referenced this issue Jun 13, 2018

Fix #3052: Postpone web task creation to connection establishment

8735f91

asvetlov mentioned this issue Jun 13, 2018

Postpone web task creation to connection establishment #3081

Merged

asvetlov closed this as completed in #3081 Jun 18, 2018

asvetlov added a commit that referenced this issue Jun 18, 2018

Fix #3052: Postpone web task creation to connection establishment (#3081

0bc7d52

)

dependencies bot mentioned this issue Aug 26, 2018

aiohttp versions available: 3.4.0 Harmon758/Harmonbot#301

Closed

aio-libs-bot mentioned this issue Sep 27, 2018

aiohttp client session. it doesn't close a connection after keepalive_timeout #3296

Closed

aio-libs-bot mentioned this issue Oct 25, 2018

How send "WebSocket Connection Close[FIN]"??? #3363

Closed

This was referenced Dec 6, 2018

How to force close underlying connection #3433

Closed

Cannot properly close ws connection in one-sided way. #3443

Closed

This was referenced Jan 2, 2019

"Application data after close notify" regression in 3.5.0 with SSL connection #3477

Closed

raise exception to close connection without response (aka nginx 444) #3495

Closed

BUG. ssl.SSLError: [SSL: KRB5_S_INIT] application data after close notify #3502

Closed

aio-libs-bot mentioned this issue Jan 14, 2019

ssl.SSLError: [SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2605) #3535

Closed

This was referenced Mar 11, 2019

ClientWebSocketResponse fails with TypeError if server closed the connection #3645

Open

ConnectionAbortedError: SSL handshake is taking longer than 60.0 seconds: aborting the connection #3651

Closed

lock bot added the outdated label Oct 28, 2019

lock bot locked as resolved and limited conversation to collaborators Oct 28, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SSL with closed connections #3052

SSL with closed connections #3052

Usever commented Jun 4, 2018

asvetlov commented Jun 5, 2018

Usever commented Jun 7, 2018

asvetlov commented Jun 11, 2018

yunstanford commented Aug 13, 2018

asvetlov commented Aug 13, 2018

lock bot commented Oct 28, 2019

SSL with closed connections #3052

SSL with closed connections #3052

Comments

Usever commented Jun 4, 2018

Long story short

Expected behaviour

Actual behaviour

Steps to reproduce

Your environment

asvetlov commented Jun 5, 2018

Usever commented Jun 7, 2018

asvetlov commented Jun 11, 2018

yunstanford commented Aug 13, 2018

asvetlov commented Aug 13, 2018

lock bot commented Oct 28, 2019