[New-bugs-announce] [issue46156] 3.9.9: python built-in SSL module unable to connect to an IIS server (104 Connection reset by peer), but pyopenssl works fine

[lkraav]

New submission from lkraav <leho at kraav.com>:

Problems emerged when Requests phased out PyOpenSSL as their default backend https://github.com/psf/requests/blob/main/HISTORY.md#2240-2020-06-17

Suddenly my script wasn't able to connect to a remote server that it had been working with for years.

All connection attempts with Python built-in SSL module, with various certificate or TLS configurations tested, result in a blunt ConnectionResetError during `do_handshake()`

This leads me to believe Python SSL module is maybe incompatible [with some IIS thing] in some perhaps fixable way, because going with PyOpenSSL backend via `urllib3.contrib.pyopenssl.inject_into_urllib3()`

I can provide the real server name in a private email if any maintainers is interested in doing a debug run in some more thorough way that I'm unable to, let me know.

Example test:

```
$ ipython
Python 3.9.9 (main, Dec 21 2021, 17:21:49) 
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import ssl

In [2]: context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

In [3]: import socket

In [4]: context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT, verify_mode=ssl.CERT_NONE)

In [5]: conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="webapi.remote")

In [6]: conn.connect(("webapi.remote", 52100))
---------------------------------------------------------------------------
ConnectionResetError                      Traceback (most recent call last)
<ipython-input-6-f778062c5e51> in <module>
----> 1 conn.connect(("webapi.remote", 52100))

/usr/lib/python3.9/ssl.py in connect(self, addr)
   1340         """Connects to remote ADDR, and then wraps the connection in
   1341         an SSL channel."""
-> 1342         self._real_connect(addr, False)
   1343 
   1344     def connect_ex(self, addr):

/usr/lib/python3.9/ssl.py in _real_connect(self, addr, connect_ex)
   1331                 self._connected = True
   1332                 if self.do_handshake_on_connect:
-> 1333                     self.do_handshake()
   1334             return rc
   1335         except (OSError, ValueError):

/usr/lib/python3.9/ssl.py in do_handshake(self, block)
   1307             if timeout == 0.0 and block:
   1308                 self.settimeout(None)
-> 1309             self._sslobj.do_handshake()
   1310         finally:
   1311             self.settimeout(timeout)

ConnectionResetError: [Errno 104] Connection reset by peer
```

----------
assignee: christian.heimes
components: SSL
messages: 409050
nosy: christian.heimes, lkraav
priority: normal
severity: normal
status: open
title: 3.9.9: python built-in SSL module unable to connect to an IIS server (104 Connection reset by peer), but pyopenssl works fine
type: behavior
versions: Python 3.9

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46156>
_______________________________________