tortoise-orm icon indicating copy to clipboard operation
tortoise-orm copied to clipboard

Published 20 hours ago verified publisher icon tortoise

Rejected SSL upgrade error when trying to disable SSL

Open tinducvo opened this issue 2 years ago • 2 comments

Describe the bug When using the FastAPI, register_tortoise method using the config arg to disable SSL using https://tortoise-orm.readthedocs.io/en/latest/databases.html#passing-in-custom-ssl-certificates, the following error is displayed when the server does not support SSL at all (docker). It worked fine when SSL was supported by the postgres instance: ERROR: Traceback (most recent call last): File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/starlette/routing.py", line 621, in lifespan async with self.lifespan_context(app): File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/starlette/routing.py", line 518, in __aenter__ await self._router.startup() File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/starlette/routing.py", line 598, in startup await handler() File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/tortoise/contrib/fastapi/__init__.py", line 93, in init_orm await Tortoise.init(config=config, config_file=config_file, db_url=db_url, modules=modules) File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/tortoise/__init__.py", line 598, in init await cls._init_connections(connections_config, _create_db) File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/tortoise/__init__.py", line 390, in _init_connections await connection.create_connection(with_db=True) File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/tortoise/backends/asyncpg/client.py", line 103, in create_connection self._pool = await asyncpg.create_pool(None, password=self.password, **self._template) File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/pool.py", line 413, in _async__init__ await self._initialize() File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/pool.py", line 441, in _initialize await first_ch.connect() File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/pool.py", line 133, in connect self._con = await self._pool._get_new_connection() File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/pool.py", line 511, in _get_new_connection con = await connection.connect( File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/connection.py", line 2085, in connect return await connect_utils._connect( File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/connect_utils.py", line 895, in _connect raise last_error File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/connect_utils.py", line 881, in _connect return await _connect_addr( File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/connect_utils.py", line 776, in _connect_addr return await __connect_addr(params, timeout, False, *args) File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/connect_utils.py", line 825, in __connect_addr tr, pr = await compat.wait_for(connector, timeout=timeout) File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/compat.py", line 66, in wait_for return await asyncio.wait_for(fut, timeout) File "/home/tin/.pyenv/versions/3.10.2/lib/python3.10/asyncio/tasks.py", line 445, in wait_for return fut.result() File "/home/tin/Code/crowdprivy/crowdprivy/backend/.venv/lib/python3.10/site-packages/asyncpg/connect_utils.py", line 699, in _create_ssl_connection do_ssl_upgrade = await pr.on_data ConnectionError: PostgreSQL server at "127.0.0.1:5432" rejected SSL upgrade

To Reproduce ssl_context = create_default_context() ssl_context.check_hostname = False ssl_context.verify_mode = ssl.CERT_NONE tortoise_config = { 'connections': { # Dict format for connection 'default': { 'engine': 'tortoise.backends.asyncpg', 'credentials': { 'host': '127.0.0.1', 'port': '5432', 'user': 'postgres', 'password': 'postgres', 'database': 'postgres', "ssl": ssl_context } }, }, 'apps': { 'models': { 'models': ["models.models", "aerich.models"], # If no default_connection specified, defaults to 'default' 'default_connection': 'default', } } }

Expected behavior Successful connection without SSL whether or not the postgres instance supports SSL.

tinducvo avatar Apr 04 '22 19:04 tinducvo

I have the same problem with Tortoise. We wanted to deploy it for docker production and now we can't do that because of this issue. We need to switch to a different ORM unless it is fixed in 3 weeks

przwr avatar Sep 25 '23 20:09 przwr

Actually after a bit of testing. It turns out that if we pass False instead of ssl_context to ssl it works fine. The problem is when using URI or providing any kind of ssl context

przwr avatar Sep 25 '23 21:09 przwr