SSL websocket client certificate validation failure results in connection timeout

[nfd]

In trio-websocket, when running as a client, connecting to a server using SSL: Because SSL connection happens during the initial handshake, if there is an SSL issue such as a failure to validate the server's certificate, Trio's SSL connection will be set to _state.BROKEN and trio-websocket's reader_task will exit, but because the exception is translated to ConnectionClosed by _send the reader_task will exit normally and the nursery will stick around, meaning the connection will time out rather than immediately exit.

It's fixable by doing something unpleasant like this in _send's exception handler:

if isinstance(exc.__cause__, _stdlib_ssl.CertificateError):
    raise exc.__cause__

But that's a bit unpleasant. I tried instead having reader_task's _initial_request handler re-raise the exception, but that seems too broad.

Any thoughts? Happy to write something. I'm hitting this issue because a client running on Windows is sometimes unable to validate certificates, and it would be useful to know early rather than waiting for a connection timeout (which also obscures the cause of the error).

[ndavison]

I recently came across this issue, here is a high level PoC which for me will appear to just hang forever and not actually timeout:

import ssl
import trio
from trio_websocket import connect_websocket_url

async def main():
    # force a bad ssl context with no chance to succeed verification
    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    ctx.verify_mode = ssl.CERT_REQUIRED
    ctx.check_hostname = True

    async with trio.open_nursery() as nursery:
        # attempt against a running tls server
        await connect_websocket_url(nursery, "wss://localhost:8443", ssl_context=ctx)
        print("Connected")

trio.run(main)

Or just this, if you're running a self signed cert server anyway and don't need to force a verify fail:

import trio
from trio_websocket import connect_websocket_url

async def main():
    async with trio.open_nursery() as nursery:
        # attempt against a running tls server
        await connect_websocket_url(nursery, "wss://localhost:8443")
        print("Connected")

trio.run(main)

I think it is hanging indefinitely because it seems as if the connection is not actually closing? on a openssl s_server -state server running, I see this when the connection is attempted:

SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write change cipher spec
SSL_accept:TLSv1.3 write encrypted extensions
SSL_accept:SSLv3/TLS write certificate
SSL_accept:TLSv1.3 write server certificate verify
SSL_accept:SSLv3/TLS write finished
SSL_accept:TLSv1.3 early data

And then when I eventually ctrl+c the PoC script, this:

SSL3 alert write:fatal:decode error
SSL_accept:error in error
ERROR
40B77734137D0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:316:
shutting down SSL
CONNECTION CLOSED