Unable to catch the ssl.SSLCertVerificationError Exception #1582
-
|
I have implemented http2 client using httpx. While testing an invalid cert issue, I have come across a scenario where the underlying asyncio loop logs the exception but doesn't raise it so that the application is notified of the error. Attaching the code used to simulate the issue. The code when run on a debian box simply logs the exception but the code does not catch the exception. The below similar version when run on windows doesn't result in this issue. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 5 replies
-
|
If you want to catch that case you need to be catching We always ensure that raw network errors are mapped neatly onto the However, something that we should probably change here is that we're not preserving the entire traceback, so you'll see eg, this... Traceback (most recent call last):
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_transports/default.py", line 61, in map_httpcore_exceptions
yield
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_transports/default.py", line 291, in handle_async_request
ext=extensions,
File "/Users/tomchristie/GitHub/encode/httpx/venv/lib/python3.7/site-packages/httpcore/_async/connection_pool.py", line 219, in arequest
method, url, headers=headers, stream=stream, ext=ext
File "/Users/tomchristie/GitHub/encode/httpx/venv/lib/python3.7/site-packages/httpcore/_async/connection.py", line 92, in arequest
self.socket = await self._open_socket(timeout)
File "/Users/tomchristie/GitHub/encode/httpx/venv/lib/python3.7/site-packages/httpcore/_async/connection.py", line 123, in _open_socket
local_address=self.local_address,
File "/Users/tomchristie/GitHub/encode/httpx/venv/lib/python3.7/site-packages/httpcore/_backends/auto.py", line 45, in open_tcp_stream
hostname, port, ssl_context, timeout, local_address=local_address
File "/Users/tomchristie/GitHub/encode/httpx/venv/lib/python3.7/site-packages/httpcore/_backends/asyncio.py", line 244, in open_tcp_stream
stream_reader=stream_reader, stream_writer=stream_writer
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/contextlib.py", line 130, in __exit__
self.gen.throw(type, value, traceback)
File "/Users/tomchristie/GitHub/encode/httpx/venv/lib/python3.7/site-packages/httpcore/_exceptions.py", line 12, in map_exceptions
raise to_exc(exc) from None
httpcore.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "./example.py", line 32, in <module>
asyncio.run(main(),debug=True)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/asyncio/runners.py", line 43, in run
return loop.run_until_complete(main)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/asyncio/base_events.py", line 583, in run_until_complete
return future.result()
File "./example.py", line 30, in main
ret = await asyncio.gather(task)
File "./example.py", line 14, in test
await client.get(url="https://incomplete-chain.badssl.com/")
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_client.py", line 1622, in get
timeout=timeout,
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_client.py", line 1429, in request
request, auth=auth, allow_redirects=allow_redirects, timeout=timeout
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_client.py", line 1468, in send
history=[],
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_client.py", line 1502, in _send_handling_auth
history=history,
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_client.py", line 1532, in _send_handling_redirects
response = await self._send_single_request(request, timeout)
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_client.py", line 1578, in _send_single_request
extensions={"timeout": timeout.as_dict()},
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_transports/default.py", line 291, in handle_async_request
ext=extensions,
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/contextlib.py", line 130, in __exit__
self.gen.throw(type, value, traceback)
File "/Users/tomchristie/GitHub/encode/httpx/httpx/_transports/default.py", line 78, in map_httpcore_exceptions
raise mapped_exc(message) from exc
httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)When really we'd also like to include the full low level trackback all the way back to the original That's occurring because we're currently masking the originating traceback when mapping to httpcore exceptions. Eg asyncio case and sync case We almost certainly want to drop the @contextlib.contextmanager
def map_exceptions(map: Dict[Type[Exception], Type[Exception]]) -> Iterator[None]:
try:
yield
except Exception as exc: # noqa: PIE786
for from_exc, to_exc in map.items():
if isinstance(exc, from_exc):
raise to_exc(exc) from None
raiseI haven't dug through to see our issue history with Note that the simplest reproduction of the case you're talking about is this... httpx.get(url="https://incomplete-chain.badssl.com/")Aside to team - we're often seeing issue reports against asyncio cases, which to my mind generally over-complicates things, unless it's genuinely an asyncio-specific error. Usually on a first pass I'll start by working through a sync case instead. There might be some good stuff for us to do here with guiding contributors and helping get incoming potential issues framed as simply as possible. Not sure. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the help @tomchristie . With I had the httpx.ConnectError defined to catch it. This does not seem to work either. As a last resort I tried to catch the Exception class as this is the base class for all the derived exceptions but no luck either. |
Beta Was this translation helpful? Give feedback.
-
|
I can't replicate the behaviour you're outlining there, no. I get precisely this... example.py import os
import logging
import asyncio
import ssl
import httpx
proxy = os.environ.get("https_proxy",default="")
async def test():
print("Entered Task")
client = httpx.AsyncClient(http2=True)
try:
print("Doing a get request")
await client.get(url="https://incomplete-chain.badssl.com/")
except ssl.SSLCertVerificationError as error:
print("Error Caught")
await client.aclose()
except Exception as error:
print("Error Caught")
await client.aclose()
async def main():
task = asyncio.create_task(test())
logging.basicConfig(level=logging.DEBUG)
print("Task Created, Sleeping")
await asyncio.sleep(1)
ret = await asyncio.gather(task)
asyncio.run(main(),debug=True)Console... $ python ./example.py
Task Created, Sleeping
Entered Task
Doing a get request
DEBUG:asyncio:Get address info incomplete-chain.badssl.com:443, type=<SocketKind.SOCK_STREAM: 1>
DEBUG:asyncio:Getting address info incomplete-chain.badssl.com:443, type=<SocketKind.SOCK_STREAM: 1> took 60.814ms: [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('104.154.89.105', 443))]
DEBUG:asyncio:poll 971.514 ms took 59.854 ms: 1 events
DEBUG:asyncio:connect <socket.socket fd=8, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('0.0.0.0', 0)> to ('104.154.89.105', 443)
DEBUG:asyncio:poll 908.979 ms took 120.763 ms: 1 events
DEBUG:asyncio:<asyncio.sslproto.SSLProtocol object at 0x104c09d50> starts SSL handshake
DEBUG:asyncio:poll 782.819 ms took 117.044 ms: 1 events
DEBUG:asyncio:<asyncio.sslproto.SSLProtocol object at 0x104c09d50>: SSL handshake failed on verifying the certificate
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/asyncio/sslproto.py", line 629, in _on_handshake_complete
raise handshake_exc
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
self._sslobj.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 774, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)
DEBUG:asyncio:<asyncio.sslproto.SSLProtocol object at 0x104c09d50>: SSL error in data received
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/asyncio/sslproto.py", line 530, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
self._sslobj.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 774, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)
Error Caught
DEBUG:asyncio:Close <_UnixSelectorEventLoop running=False closed=False debug=True> |
Beta Was this translation helpful? Give feedback.
-
|
Running the program on Debian 8 box, I get the following output. Console Output follows. |
Beta Was this translation helpful? Give feedback.
-
|
I'd suggest you start by simplifying things a bit, eg... You also might try to see if you can replicate with |
Beta Was this translation helpful? Give feedback.
-
|
The modified code using asyncio resulted in the same issue. I gave a try using trio. Console output I am able to catch the exception with trio but not the httpx.ConnectError exception. |
Beta Was this translation helpful? Give feedback.
-
|
@tomchristie I was able to isolate the issue. It was a result of using a https_proxy param. The statement |
Beta Was this translation helpful? Give feedback.
-
|
try the |
Beta Was this translation helpful? Give feedback.
@tomchristie I was able to isolate the issue. It was a result of using a https_proxy param. The statement
raise ProxyError(exc)in async def _tunnel_request was never getting raised. The httpx version I was using was 0.12.3.With latest release of httpx I no longer see this issue. Thanks a lot for the help.