SSL: UNEXPECTED_EOF_WHILE_READING

[hanunes]

Subject

When trying to perform a HTTPS GET request with the requests library, I get the EOF error above. By pinning urllib3 to an older version (1.x), all works as expected. The endpoint is using a self-signed certificate.

Environment

OS Linux-5.10.0-19-amd64-x86_64-with-glibc2.36
Python 3.11.4
OpenSSL 3.0.11 19 Sep 2023
urllib3 2.2.1

Steps to Reproduce

Failure script

import requests

def main(host: str):
    return requests.get("https://%s" % (host), verify=False)

Successful script

#requirements:
#requests
#urllib3==1.26.18

import requests

def main(host: str):
    return requests.get("https://%s" % (host), verify=False)

Expected Behavior

Would expect a 200 OK response from the server.

<Response [200]>

Actual Behavior

EOF error

SSL: HTTPSConnectionPool(host='<host>', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLEOFError(8, '[SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1002)')))

  File "/tmp/windmill/wk-default-55fee825b1b2-92z4n/018e0f86-8062-74c4-b7e2-35eaf85a4ebc/u/<user>/intimate_script.py", line 4, in main
    return requests.get("https://%s" % (host), verify=False)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "/tmp/windmill/cache/pip/requests==2.31.0/requests/api.py", line 73, in get
    return request("get", url, params=params, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "/tmp/windmill/cache/pip/requests==2.31.0/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "/tmp/windmill/cache/pip/requests==2.31.0/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "/tmp/windmill/cache/pip/requests==2.31.0/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "/tmp/windmill/cache/pip/requests==2.31.0/requests/adapters.py", line 517, in send
    raise SSLError(e, request=request)

[sigmavirus24]

Please don't use screenshots. They're not searchable and folks who rely on screen readers cannot interpret them. Please instead copy and paste the plain text of the images if you want help

[hanunes]

Edited, thanks @sigmavirus24

[sethmlarson]

@hanunes In order to recreate the conditions for this error we either need a public endpoint/host or a packet capture, could you provide either of those so we can see why this is happening?

[sethmlarson]

Also this seems similar to #3100

[hanunes]

Hi, I will definitely try to get a packet capture going. Will update here one I do.

[hanunes]

You can find the packet capture below. Let me know if there's anything else I can provide.

requests_err_ssleof.zip

[keepworking]

it is similar to #3100, it also closed connection after ClientHello.

Maybe it's because the server doesn't support the options that the client requests. #3100 Issue failed to support the CipherSuit requested by the client on the server. I'm guessing it's similar in your case. If you check the CipherSuit when the connection was successful and add this, you can solve it. If there is a wire-shark packet when the connection was successful, you can refer to it.

I looked for ways to update sslcontext in requests and I'm leaving a link below for you to find and refer to the following.

https://requests.readthedocs.io/en/latest/user/advanced/#example-specific-ssl-version
https://stackoverflow.com/questions/64063235/how-to-use-sslcontext-with-python-requests-library