Logo Questions Linux Laravel Mysql Ubuntu Git Menu

Python SSL example from docs gives "Connection reset by peer" error




I'm trying to run the example code provided in the documentation for the ssl module here: http://docs.python.org/2/library/ssl.html#client-side-operation

The server-side code is similar to the example given in the documentation, and it throws this exception:

Traceback (most recent call last):
  File "serve.py", line 16, in <module>
  File "/usr/lib/python2.7/ssl.py", line 381, in wrap_socket
  File "/usr/lib/python2.7/ssl.py", line 143, in __init__
  File "/usr/lib/python2.7/ssl.py", line 305, in do_handshake
socket.error: [Errno 104] Connection reset by peer

And the client-side code, also similar to the example in the documentation, throws this exception:

Traceback (most recent call last):
  File "client.py", line 8, in <module>
    ssl_sock.connect((host, port))
  File "/usr/lib/python2.7/ssl.py", line 331, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python2.7/ssl.py", line 324, in _real_connect
    raise e
socket.error: [Errno 104] Connection reset by peer

As far as I can see, I've copied the examples provided in the documentation quite closely, so I don't know what the problem is. All of my TCP, UDP and ICMP ports are open, so I don't think it is a firewall issue.

(I've edited this question to cut out my code for brevity, as it really is quite similar to the example provided in the link. If you want to see my code, look at the history of this question.)

like image 386
Flimm Avatar asked Mar 24 '23 08:03


1 Answers

I found the problem. I generated the private key and the certificate using command like this:

$ openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem
Generating a 1024 bit RSA private key
# ...
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MyState
Locality Name (eg, city) []:Some City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Organization, Inc.
Organizational Unit Name (eg, section) []:My Group
Common Name (eg, YOUR name) []:myserver.mygroup.myorganization.com
Email Address []:[email protected]

The crucial part is that the "common name" entered must match the domain name of the server. I thought that when cacerts is ssl.CERT_NONE, which it is by default for wrap_socket, this wouldn't be checked, but I was wrong. It's always checked. One night's sleep and it's the first thing I thought of to verify!

Hopefully this will be useful to someone else who gets this cryptic error message.

If this doesn't solve it, you might be suffering from deep packet inspection. I got this error again when I was on a university network, but not on any other network, and I'm fairly certain it was because of deep packet inspection.

like image 134
Flimm Avatar answered Mar 30 '23 19:03