How to combine TLS client auth and relaxing client-side TLS validation

[dralley]

The docs suggest that the appropriate way to relax TLS/SSL checks is to set the value to False when configuring the session

By default aiohttp uses strict checks for HTTPS protocol. Certification checks can be relaxed by setting ssl to False:

r = await session.get('https://example.com', ssl=False)

If you need to setup custom ssl parameters (use own certification files for example) you can create a ssl.SSLContext instance and pass it into the ClientSession.request() methods or set it for the entire session with ClientSession(connector=TCPConnector(ssl=ssl_context)).

However, I need to provide TLS client auth certificates in order to for the server to accept the connection, yet I also want to be able to relax the standard TLS checks on the server's authenticity from the client-side (the cert chain includes some self-signed certs, it gets painful to provide all of them and for ergonomic reasons I want an option to ignore all of that, it's not actually important to security in this case).

How can I accomplish this?

Here's my existing code:

        if self.verify_tls:
            sslcontext = ssl.create_default_context(cafile=self.tls_ca_cert)
        else:
            sslcontext = ssl.create_default_context()
        if self.tls_client_cert:
            sslcontext.load_cert_chain(  # obviously if sslcontext=False, this isn't going to work
                certfile=self.tls_client_cert,
                keyfile=self.tls_client_key
            )
        headers = {"user-agent": USER_AGENT}
        conn = aiohttp.TCPConnector(
            limit=self.max_parallel_downloads,
            limit_per_host=self.max_parallel_downloads_per_mirror,
            ssl=sslcontext,
        )

[dralley]

It appears there used to be separate verify_ssl and sslcontext options, which would have made this easier.

[Dreamsorcerer]

No, they'd conflict.

Just configure the context however you need it. This is aiohttp's 'relaxed' version:

aiohttp/aiohttp/connector.py

Lines 790 to 797 in 46b557a

	sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
	sslcontext.options |= ssl.OP_NO_SSLv2
	sslcontext.options |= ssl.OP_NO_SSLv3
	sslcontext.check_hostname = False
	sslcontext.verify_mode = ssl.CERT_NONE
	sslcontext.options |= ssl.OP_NO_COMPRESSION
	sslcontext.set_default_verify_paths()
	sslcontext.set_alpn_protocols(("http/1.1",))