TLSV1_ALERT_ACCESS_DENIED error with aiohttp, works fine with httpx and requests

[JidGalaxio]

Describe the bug

I'm encountering an issue where both requests and httpx successfully retrieve the response from a server, but aiohttp raises a TLSV1_ALERT_ACCESS_DENIED error when attempting to connect to the same server over HTTPS.

Additionally, the URL opens without any issues in the Chrome browser and works perfectly with curl. I have also tried accessing the server using a VPN, so I'm pretty sure it's not related to the source IP address.

To Reproduce

import asyncio
import aiohttp
import httpx
import requests

URL = f"https://dl2.vinafile.xyz"

async def try_aiohttp():
    try:
        async with aiohttp.ClientSession() as session:
            async with session.get(URL) as response:
                print("[aiohttp] Status Code:", response.status)
    except Exception as e:
        print(f"[aiohttp] Error: {str(e)}")

def try_httpx():
    try:
        with httpx.Client() as client:
            response = client.get(URL)
            print("[httpx] Status Code:", response.status_code)
    except Exception as e:
        print(f"[httpx] Error: {str(e)}")

def try_requests():
    try:
        response = requests.get(URL)
        print("[requests] Status Code:", response.status_code)
    except Exception as e:
        print(f"[requests] Error: {str(e)}")


asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())
asyncio.run(try_aiohttp())

try_httpx()

try_requests()

Expected behavior

aiohttp should behave similarly to requests and httpx by successfully retrieving a response from the server.

Output:
[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
[httpx] Status Code: 200
[requests] Status Code: 200

Logs/tracebacks

Traceback (most recent call last):
  File "C:\Program Files\Python312\Lib\site-packages\aiohttp\connector.py", line 1075, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs, sock=sock)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Python312\Lib\asyncio\base_events.py", line 1149, in create_connection
    transport, protocol = await self._create_connection_transport(
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Python312\Lib\asyncio\base_events.py", line 1182, in _create_connection_transport
    await waiter
  File "C:\Program Files\Python312\Lib\asyncio\sslproto.py", line 578, in _on_handshake_complete
    raise handshake_exc
  File "C:\Program Files\Python312\Lib\asyncio\sslproto.py", line 560, in _do_handshake
    self._sslobj.do_handshake()
  File "C:\Program Files\Python312\Lib\ssl.py", line 917, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)

Python Version

$ python --version
Python 3.12.3

aiohttp Version

$ python -m pip show aiohttp
Name: aiohttp
Version: 3.10.9
Summary: Async http client/server framework (asyncio)
Home-page: https://github.com/aio-libs/aiohttp
Author:
Author-email:
License: Apache 2
Location: C:\Program Files\Python312\Lib\site-packages
Requires: aiohappyeyeballs, aiosignal, attrs, frozenlist, multidict, yarl
Required-by: aiohttp_socks, vt-py

multidict Version

$ python -m pip show multidict
Name: multidict
Version: 6.0.5
Summary: multidict implementation
Home-page: https://github.com/aio-libs/multidict
Author: Andrew Svetlov
Author-email: [email protected]
License: Apache 2
Location: C:\Program Files\Python312\Lib\site-packages
Requires:
Required-by: aiohttp, yarl

propcache Version

$ python -m pip show propcache
Name: propcache
Version: 0.2.0
Summary: Accelerated property cache
Home-page: https://github.com/aio-libs/propcache
Author: Andrew Svetlov
Author-email: [email protected]
License: Apache-2.0
Location: C:\Program Files\Python312\Lib\site-packages
Requires:

yarl Version

$ python -m pip show yarl
Name: yarl
Version: 1.14.0
Summary: Yet another URL library
Home-page: https://github.com/aio-libs/yarl
Author: Andrew Svetlov
Author-email: [email protected]
License: Apache-2.0
Location: C:\Program Files\Python312\Lib\site-packages
Requires: idna, multidict, propcache
Required-by: aiohttp

OS

Windows 7 x64

Related component

Client

Additional context

I've tried adjusting SSL contexts, enabling/disabling verification, and testing with different configurations, but the issue persists specifically with aiohttp.
Any insights or suggestions for resolving this issue would be appreciated!

Code of Conduct

• I agree to follow the aio-libs Code of Conduct

[Cycloctane]

Can not reproduce it.

root@f1a487c98ac6:/# python3 ./test.py
[aiohttp] Status Code: 200

edit: I noticed that you mentioned using python 3.12 with windows 7. As far as i know windows 7 is not supported for python 3.9+. Could you provide more information or try reproducing this on another platform?

[JidGalaxio]

Yeah, Python 3.12 is not officially supported on Windows 7 but it works just fine. You just need an unlocked installer by adang1345.

Anyway, I've tried with an official version of Python on another Win7x64 system. The result is the same.

Versions

Microsoft Windows [Version 6.1.7601]
Python 3.8.8
aiohttp-3.10.10
multidict-6.1.0
propcache-0.2.0
yarl-1.15.1

Output

C:\Python38>python test_https.py
[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1125)]
[httpx] Status Code: 200
[requests] Status Code: 200

Traceback

Traceback (most recent call last):
  File "c:\Python38\lib\site-packages\aiohttp\connector.py", line 1098, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs, sock=sock)
  File "c:\Python38\lib\asyncio\base_events.py", line 1050, in create_connection
    transport, protocol = await self._create_connection_transport(
  File "c:\Python38\lib\asyncio\base_events.py", line 1080, in _create_connection_transport
    await waiter
  File "c:\Python38\lib\asyncio\sslproto.py", line 529, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "c:\Python38\lib\asyncio\sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "c:\Python38\lib\ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1125)

Please note that since both requests and httpx successfully retrieve the response from the server, the issue is with aiohttp.

[webknjaz]

@JidGalaxio you should probably compare the difference between the SSLContexts being used. Might be another case of #9300 (reply in thread).

[Dreamsorcerer]

Most of us do not have Windows to test on. Therefore, you'll need to do some more testing yourself and create a test in our CI which fails on Windows.

Stackoverflow suggests something is wrong with openssl:
https://stackoverflow.com/questions/44316292/ssl-sslerror-tlsv1-alert-protocol-version#46808948

Otherwise, try creating a different SSLContext as mentioned above. Maybe changing the minimum/maximum protocol versions allowed:
https://docs.aiohttp.org/en/stable/client_advanced.html#ssl-control-for-tcp-sockets

[JidGalaxio]

I've already tried different SSLContext options.

    finally:
        print(f"SSL Protocol Version, Min: {ssl_context.minimum_version}, Max: {ssl_context.maximum_version}")

> ssl_context = ssl.create_default_context(cafile=certifi.where())

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
SSL Protocol Version, Min: 771 Max: -1

[httpx] Status Code: 200
SSL Protocol Version, Min: 771 Max: -1

> ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
> ssl_context.set_ciphers("ECDHE+AESGCM")
> ssl_context.check_hostname = False
> ssl_context.verify_mode = ssl.CERT_NONE

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
SSL Protocol Version, Min: 771 Max: -1

[httpx] Status Code: 200
SSL Protocol Version, Min: 771 Max: -1

> ssl_context = ssl.create_default_context()
> ssl_context.minimum_version = ssl.TLSVersion.TLSv1
> ssl_context.maximum_version = ssl.TLSVersion.TLSv1_1
> ssl_context.set_ciphers("HIGH:!aNULL:!eNULL")

DeprecationWarning: ssl.TLSVersion.TLSv1 is deprecated
DeprecationWarning: ssl.TLSVersion.TLSv1_1 is deprecated

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
SSL Protocol Version, Min: 769 Max: 770

[httpx] Error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)
SSL Protocol Version, Min: 769 Max: 770

> ssl_context = ssl.create_default_context()
> ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
> ssl_context.maximum_version = ssl.TLSVersion.TLSv1_2

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
SSL Protocol Version, Min: 771 Max: 771

[httpx] Status Code: 200
SSL Protocol Version, Min: 771 Max: 771

> ssl_context = ssl.create_default_context()
> ssl_context.minimum_version = ssl.TLSVersion.TLSv1_3
> ssl_context.maximum_version = ssl.TLSVersion.TLSv1_3

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
SSL Protocol Version, Min: 772 Max: 772

[httpx] Error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1000)
SSL Protocol Version, Min: 772 Max: 772

> ssl_context = ssl.create_default_context()
> ssl_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1

DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
SSL Protocol Version, Min: 771 Max: -1

[httpx] Status Code: 200
SSL Protocol Version, Min: 771 Max: -1

> ssl_context = ssl.create_default_context()
> ssl_context.options |= ssl.OP_NO_TLSv1_2 | ssl.OP_NO_TLSv1_3

DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:1000)]
SSL Protocol Version, Min: 771 Max: -1

[httpx] Error: [SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:1000)
SSL Protocol Version, Min: 771 Max: -1

> ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
> ssl_context.set_ciphers("HIGH:!aNULL:!eNULL")

DeprecationWarning: ssl.PROTOCOL_TLSv1_1 is deprecated

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
SSL Protocol Version, Min: -2 Max: -1

[httpx] Error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)
SSL Protocol Version, Min: -2 Max: -1

> ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
> ssl_context.set_ciphers("HIGH:!aNULL:!eNULL")

DeprecationWarning: ssl.PROTOCOL_TLSv1_2 is deprecated

[aiohttp] Error: Cannot connect to host dl2.vinafile.xyz:443 ssl:default [[SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1000)]
SSL Protocol Version, Min: -2 Max: -1

[httpx] Status Code: 200
SSL Protocol Version, Min: -2 Max: -1

[Dreamsorcerer]

ssl.OPENSSL_VERSION would probably also be useful to know.

[JidGalaxio]

ssl.OPENSSL_VERSION

OpenSSL 3.0.13 30 Jan 2024