1

I have an application making api requests via aiohttp library.

session = aiohttp.ClientSession()
session.get(url, proxy=get_proxy_v2(), ssl=False)

I make around 10 requests/second. About once a hour I get the following error:

aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host <REDACTED_HOST>:443 ssl:False [[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:997)]

Initially, I didn't have ssl=False but added to try and avoid this error, but it had no effect, about once a hour I get this error still. I could simply add a try catch to catch the error and retry, but would like to properly fix this error. I am a bit confused on how I am getting a SSL error even though I have ssl set to False. Not sure where to go from here.

user3533755
  • 111
  • 2
  • 12

1 Answers1

2

I am a bit confused on how I am getting a SSL error even though I have ssl set to False.

ssl=False ignores only certificate validation errors. But TLSV1_ALERT_INTERNAL_ERROR has nothing to do with certificate validation, so this option does not help here. Apart from that setting ssl=False is a very bad idea since it significantly downgrades the security offered by HTTPS - it will no longer protect against active man in the middle attacks.

There are various reasons TLSV1_ALERT_INTERNAL_ERROR might occur, like having no common ciphers or protocol versions, needing client certificates, server being overloaded or whatever. When connecting arbitrary servers on the internet it is expected that sometimes such errors occur. Catching the error and ignoring this server for now is usually right choice.

If the error happens for servers one really want to connect to one has to analyze the cause of the problem with this specific server and then try to address this specific cause, i.e. there is no generic solution.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Then, what you ultimately mean, is that `TLSV1_ALERT_INTERNAL_ERROR` is a generic error, not an specific one which can be treated directly? – João Ciocca Jul 18 '22 at 18:15
  • @JoãoCiocca: I'm not sure what you mean with *"can be treated directly"*. The sender is sending such alert when it does not like what the client sends for an unspecific reason. The server decided that it cannot continue with the TLS handshake in this situation. This specifically means that the client cannot recover from this error and just continue with TLS. The client might find out what the error is by educated guesses and then retry a new TLS connection after some parameters (like ciphers ...) has been changed in the hope that it works then. – Steffen Ullrich Jul 18 '22 at 19:12
  • I mean that a treatment path specific for `TLSV1_ALERT_INTERNAL_ERROR` can't be scripted, like an `except TLSV1_ALERT_INTERNAL_ERROR as err`, for example. – João Ciocca Jul 18 '22 at 21:17