ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak

[HaithamMaya]

• asyncpg version: 0.18.3
• PostgreSQL version: N/A
• Do you use a PostgreSQL SaaS? If so, which? Can you reproduce
  the issue with a local PostgreSQL install?:
• Python version: 3.7.4
• Platform: Docker python:3.7-slim (issue is as of python 3.7.4 release 3 days ago)
• Do you use pgbouncer?:
• Did you install asyncpg with pip?: yes
• If you built asyncpg locally, which version of Cython did you use?:
• Can the issue be reproduced under both asyncio and
  uvloop?:

An issue very similar to #238 started occuring 3 days ago after python 3.7.4 was released. Pinning my docker to 3.7.3-slim fixed the issue.

	ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1076)
	The above exception was the direct cause of the following exception:
	asyncpg.exceptions.ConnectionDoesNotExistError: connection was closed in the middle of operation
	Future exception was never retrieved
	future: <Future finished exception=ConnectionDoesNotExistError('connection was closed in the middle of operation')>
	Traceback (most recent call last):
	  File "/home/mydirectory/app/__init__.py", line 13, in register_db
	    app.pool = await asyncpg.create_pool(**Config.DATABASE_CONFIG, loop=loop, max_size=100)
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/pool.py", line 400, in _async__init__
	    await self._initialize()
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/pool.py", line 417, in _initialize
	    await first_ch.connect()
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/pool.py", line 125, in connect
	    self._con = await self._pool._get_new_connection()
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/pool.py", line 463, in _get_new_connection
	    **self._connect_kwargs)
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/connection.py", line 1688, in connect
	    max_cacheable_statement_size=max_cacheable_statement_size)
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/connect_utils.py", line 551, in _connect
	    raise last_error
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/connect_utils.py", line 543, in _connect
	    connection_class=connection_class)
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/connect_utils.py", line 513, in _connect_addr
	    connector, timeout=timeout, loop=loop)
	  File "/usr/local/lib/python3.7/asyncio/tasks.py", line 442, in wait_for
	    return fut.result()
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/connect_utils.py", line 606, in _create_ssl_connection
	    ssl_is_advisory=ssl_is_advisory)
	  File "/opt/venv/lib/python3.7/site-packages/asyncpg/connect_utils.py", line 592, in _negotiate_ssl_connection
	    return await conn_factory(sock=sock)  # Must come after tr.close()
	  File "uvloop/loop.pyx", line 1945, in create_connection
	  File "uvloop/loop.pyx", line 1942, in uvloop.loop.Loop.create_connection
	  File "uvloop/sslproto.pyx", line 500, in uvloop.loop.SSLProtocol._on_handshake_complete
	  File "uvloop/sslproto.pyx", line 484, in uvloop.loop.SSLProtocol._do_handshake
	  File "/usr/local/lib/python3.7/ssl.py", line 774, in do_handshake
	    self._sslobj.do_handshake()

[HaithamMaya]

In my docker:

ADD https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem /certs/rds-combined-ca-bundle.pem

My code:

ctx = ssl.create_default_context(cafile='/certs/rds-combined-ca-bundle.pem')
DATABASE_CONFIG = {
        'host': os.environ['DATABASE_HOST'],
        'port': os.environ['DATABASE_PORT'],
        'database': os.environ['DATABASE_NAME'],
        'user': os.environ['DATABASE_USER'],
        'password': os.environ['DATABASE_PASSWORD'],
        'ssl': ctx
}
app.pool = await asyncpg.create_pool(**DATABASE_CONFIG, loop=loop, max_size=100)

Turning off verification works, but its not really a solution:

ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

[elprans]

This seems like a server-side issue.

[HaithamMaya]

@elprans downgrading from python:3.7.4-slim to python:3.7.3-slim completely fixes the issue.

[elprans]

There has probably been a change in Python ssl module policy that made RDS certs to be treated as insecure by default. asyncpg itself doesn't impose a specific policy and simply uses the Python default.

[slavanap]

FYI, that update to _ssl .so dynlib had broken a lot of connectors, including MySQL. I'd suggest if that happens again try to detect what module imports ssl. For example, MySQL conn works perfectly if import _ssl is not issued.