PYTHON-5309 Ensure AsyncMongoClient doesn't use PyOpenSSL

.evergreen/generated_configs/variants.yml

@@ -740,8 +740,8 @@ buildvariants:
       PYTHON_BINARY: /Library/Frameworks/Python.Framework/Versions/3.9/bin/python3
   - name: pyopenssl-rhel8-python3.10
     tasks:
-      - name: .replica_set .auth .ssl .sync
-      - name: .7.0 .auth .ssl .sync
+      - name: .replica_set .auth .ssl .sync_async
+      - name: .7.0 .auth .ssl .sync_async
     display_name: PyOpenSSL RHEL8 Python3.10
     run_on:
       - rhel87-small
@@ -773,8 +773,8 @@ buildvariants:
       PYTHON_BINARY: /opt/python/3.12/bin/python3
   - name: pyopenssl-win64-python3.13
     tasks:
-      - name: .replica_set .auth .ssl .sync
-      - name: .7.0 .auth .ssl .sync
+      - name: .replica_set .auth .ssl .sync_async
+      - name: .7.0 .auth .ssl .sync_async
     display_name: PyOpenSSL Win64 Python3.13
     run_on:
       - windows-64-vsMulti-small

.evergreen/scripts/generate_config.py

@@ -262,14 +262,25 @@ def create_pyopenssl_variants():
             host = DEFAULT_HOST
 
         display_name = get_variant_name(base_name, host, python=python)
-        variant = create_variant(
-            [f".replica_set .{auth} .{ssl} .sync", f".7.0 .{auth} .{ssl} .sync"],
-            display_name,
-            python=python,
-            host=host,
-            expansions=expansions,
-            batchtime=batchtime,
-        )
+        # only need to run some on async
+        if python in (CPYTHONS[1], CPYTHONS[-1]):
+            variant = create_variant(
+                [f".replica_set .{auth} .{ssl} .sync_async", f".7.0 .{auth} .{ssl} .sync_async"],
+                display_name,
+                python=python,
+                host=host,
+                expansions=expansions,
+                batchtime=batchtime,
+            )
+        else:
+            variant = create_variant(
+                [f".replica_set .{auth} .{ssl} .sync", f".7.0 .{auth} .{ssl} .sync"],
+                display_name,
+                python=python,
+                host=host,
+                expansions=expansions,
+                batchtime=batchtime,
+            )
         variants.append(variant)
 
     return variants

CONTRIBUTING.md

@@ -420,3 +420,21 @@ partially-converted asynchronous version of the same name to the `test/asynchron
 Use this generated file as a starting point for the completed conversion.
 
 The script is used like so: `python tools/convert_test_to_async.py [test_file.py]`
+
+## Running PyMongo with SSL
+Note that `AsyncMongoClient` does not support PyOpenSSL.
+Assuming all required packages are installed, set the `tls` and `tlsAllowInvalidCertificates` flags in the URI to enable
+the driver to connect with SSL, like so:
+```python
+from pymongo import MongoClient
+
+client = MongoClient(
+    "mongodb://localhost:27017?tls=true&tlsAllowInvalidCertificates=true"
+)
+```
+Another way of doing this would be to pass these options in as parameters to the MongoClient, like so:
+```python
+client = MongoClient(
+    "mongodb://localhost:27017", tls=True, tlsAllowInvalidCertificates=True
+)
+```

pymongo/asynchronous/encryption.py

@@ -85,7 +85,7 @@
 )
 from pymongo.read_concern import ReadConcern
 from pymongo.results import BulkWriteResult, DeleteResult
-from pymongo.ssl_support import BLOCKING_IO_ERRORS, get_ssl_context
+from pymongo.ssl_support import BLOCKING_IO_ERRORS, PYBLOCKING_IO_ERRORS, get_ssl_context
 from pymongo.typings import _DocumentType, _DocumentTypeArg
 from pymongo.uri_parser_shared import parse_host
 from pymongo.write_concern import WriteConcern
@@ -180,6 +180,7 @@ async def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
                 False,  # allow_invalid_certificates
                 False,  # allow_invalid_hostnames
                 False,  # disable_ocsp_endpoint_check
+                _IS_SYNC,
             )
         # CSOT: set timeout for socket creation.
         connect_timeout = max(_csot.clamp_remaining(_KMS_CONNECT_TIMEOUT), 0.001)
@@ -215,7 +216,7 @@ async def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
                 raise  # Propagate MongoCryptError errors directly.
             except Exception as exc:
                 # Wrap I/O errors in PyMongo exceptions.
-                if isinstance(exc, BLOCKING_IO_ERRORS):
+                if isinstance(exc, (BLOCKING_IO_ERRORS, PYBLOCKING_IO_ERRORS)):
                     exc = socket.timeout("timed out")
                 # Async raises an OSError instead of returning empty bytes.
                 if isinstance(exc, OSError):
@@ -674,6 +675,7 @@ def __init__(
             key_vault_namespace,
             kms_tls_options=kms_tls_options,
             key_expiration_ms=key_expiration_ms,
+            is_sync=_IS_SYNC,
         )
         self._io_callbacks: Optional[_EncryptionIO] = _EncryptionIO(
             None, key_vault_coll, None, opts

pymongo/asynchronous/pool.py

@@ -85,7 +85,7 @@
 from pymongo.server_api import _add_to_command
 from pymongo.server_type import SERVER_TYPE
 from pymongo.socket_checker import SocketChecker
-from pymongo.ssl_support import SSLError
+from pymongo.ssl_support import PYSSLError, SSLError
 
 if TYPE_CHECKING:
     from bson import CodecOptions
@@ -637,7 +637,7 @@ async def _raise_connection_failure(self, error: BaseException) -> NoReturn:
             reason = ConnectionClosedReason.ERROR
         await self.close_conn(reason)
         # SSLError from PyOpenSSL inherits directly from Exception.
-        if isinstance(error, (IOError, OSError, SSLError)):
+        if isinstance(error, (IOError, OSError, SSLError, PYSSLError)):
             details = _get_timeout_details(self.opts)
             _raise_connection_failure(self.address, error, timeout_details=details)
         else:
@@ -1033,7 +1033,7 @@ async def connect(self, handler: Optional[_MongoClientErrorHandler] = None) -> A
                     reason=_verbose_connection_error_reason(ConnectionClosedReason.ERROR),
                     error=ConnectionClosedReason.ERROR,
                 )
-            if isinstance(error, (IOError, OSError, SSLError)):
+            if isinstance(error, (IOError, OSError, SSLError, PYSSLError)):
                 details = _get_timeout_details(self.opts)
                 _raise_connection_failure(self.address, error, timeout_details=details)
 

pymongo/client_options.py

@@ -84,7 +84,9 @@ def _parse_read_concern(options: Mapping[str, Any]) -> ReadConcern:
     return ReadConcern(concern)
 
 
-def _parse_ssl_options(options: Mapping[str, Any]) -> tuple[Optional[SSLContext], bool]:
+def _parse_ssl_options(
+    options: Mapping[str, Any], is_sync: bool
+) -> tuple[Optional[SSLContext], bool]:
     """Parse ssl options."""
     use_tls = options.get("tls")
     if use_tls is not None:
@@ -138,6 +140,7 @@ def _parse_ssl_options(options: Mapping[str, Any]) -> tuple[Optional[SSLContext]
             allow_invalid_certificates,
             allow_invalid_hostnames,
             disable_ocsp_endpoint_check,
+            is_sync,
         )
         return ctx, allow_invalid_hostnames
     return None, allow_invalid_hostnames
@@ -167,7 +170,7 @@ def _parse_pool_options(
     compression_settings = CompressionSettings(
         options.get("compressors", []), options.get("zlibcompressionlevel", -1)
     )
-    ssl_context, tls_allow_invalid_hostnames = _parse_ssl_options(options)
+    ssl_context, tls_allow_invalid_hostnames = _parse_ssl_options(options, is_sync)
     load_balanced = options.get("loadbalanced")
     max_connecting = options.get("maxconnecting", common.MAX_CONNECTING)
     return PoolOptions(

pymongo/encryption_options.py

@@ -58,6 +58,7 @@ def __init__(
         bypass_query_analysis: bool = False,
         encrypted_fields_map: Optional[Mapping[str, Any]] = None,
         key_expiration_ms: Optional[int] = None,
+        is_sync: bool = True,
     ) -> None:
         """Options to configure automatic client-side field level encryption.
 
@@ -236,7 +237,7 @@ def __init__(
         if not any("idleShutdownTimeoutSecs" in s for s in self._mongocryptd_spawn_args):
             self._mongocryptd_spawn_args.append("--idleShutdownTimeoutSecs=60")
         # Maps KMS provider name to a SSLContext.
-        self._kms_ssl_contexts = _parse_kms_tls_options(kms_tls_options)
+        self._kms_ssl_contexts = _parse_kms_tls_options(kms_tls_options, is_sync)
         self._bypass_query_analysis = bypass_query_analysis
         self._key_expiration_ms = key_expiration_ms
 

pymongo/pool_shared.py

@@ -38,7 +38,7 @@
 )
 from pymongo.network_layer import AsyncNetworkingInterface, NetworkingInterface, PyMongoProtocol
 from pymongo.pool_options import PoolOptions
-from pymongo.ssl_support import HAS_SNI, SSLError
+from pymongo.ssl_support import HAS_SNI, PYSSLError, SSLError
 
 if TYPE_CHECKING:
     from pymongo.pyopenssl_context import _sslConn
@@ -138,7 +138,7 @@ def _raise_connection_failure(
         msg += format_timeout_details(timeout_details)
     if isinstance(error, socket.timeout):
         raise NetworkTimeout(msg) from error
-    elif isinstance(error, SSLError) and "timed out" in str(error):
+    elif isinstance(error, (SSLError, PYSSLError)) and "timed out" in str(error):
         # Eventlet does not distinguish TLS network timeouts from other
         # SSLErrors (https://github.com/eventlet/eventlet/issues/692).
         # Luckily, we can work around this limitation because the phrase
@@ -293,7 +293,7 @@ async def _async_configured_socket(
         # Raise _CertificateError directly like we do after match_hostname
         # below.
         raise
-    except (OSError, SSLError) as exc:
+    except (OSError, SSLError, PYSSLError) as exc:
         sock.close()
         # We raise AutoReconnect for transient and permanent SSL handshake
         # failures alike. Permanent handshake failures, like protocol
@@ -349,7 +349,7 @@ async def _configured_protocol_interface(
         # Raise _CertificateError directly like we do after match_hostname
         # below.
         raise
-    except (OSError, SSLError) as exc:
+    except (OSError, SSLError, PYSSLError) as exc:
         # We raise AutoReconnect for transient and permanent SSL handshake
         # failures alike. Permanent handshake failures, like protocol
         # mismatch, will be turned into ServerSelectionTimeoutErrors later.
@@ -467,7 +467,7 @@ def _configured_socket(address: _Address, options: PoolOptions) -> Union[socket.
         # Raise _CertificateError directly like we do after match_hostname
         # below.
         raise
-    except (OSError, SSLError) as exc:
+    except (OSError, SSLError, PYSSLError) as exc:
         sock.close()
         # We raise AutoReconnect for transient and permanent SSL handshake
         # failures alike. Permanent handshake failures, like protocol
@@ -516,7 +516,7 @@ def _configured_socket_interface(address: _Address, options: PoolOptions) -> Net
         # Raise _CertificateError directly like we do after match_hostname
         # below.
         raise
-    except (OSError, SSLError) as exc:
+    except (OSError, SSLError, PYSSLError) as exc:
         sock.close()
         # We raise AutoReconnect for transient and permanent SSL handshake
         # failures alike. Permanent handshake failures, like protocol

pymongo/ssl_support.py

@@ -15,16 +15,19 @@
 """Support for SSL in PyMongo."""
 from __future__ import annotations
 
+import types
 import warnings
-from typing import Optional
+from typing import Any, Optional, Union
 
 from pymongo.errors import ConfigurationError
 
 HAVE_SSL = True
+HAVE_PYSSL = True
 
 try:
-    import pymongo.pyopenssl_context as _ssl
+    import pymongo.pyopenssl_context as _pyssl
 except (ImportError, AttributeError) as exc:
+    HAVE_PYSSL = False
     if isinstance(exc, AttributeError):
         warnings.warn(
             "Failed to use the installed version of PyOpenSSL. "
@@ -35,10 +38,10 @@
             UserWarning,
             stacklevel=2,
         )
-    try:
-        import pymongo.ssl_context as _ssl  # type: ignore[no-redef]
-    except ImportError:
-        HAVE_SSL = False
+try:
+    import pymongo.ssl_context as _ssl
+except ImportError:
+    HAVE_SSL = False
 
 
 if HAVE_SSL:
@@ -57,6 +60,20 @@
     BLOCKING_IO_WRITE_ERROR = _ssl.BLOCKING_IO_WRITE_ERROR
     BLOCKING_IO_LOOKUP_ERROR = BLOCKING_IO_READ_ERROR
 
+    if HAVE_PYSSL:
+        PYSSLError: Any = _pyssl.SSLError
+        PYBLOCKING_IO_ERRORS: Any = _pyssl.BLOCKING_IO_ERRORS
+        PYBLOCKING_IO_READ_ERROR: Any = _pyssl.BLOCKING_IO_READ_ERROR
+        PYBLOCKING_IO_WRITE_ERROR: Any = _pyssl.BLOCKING_IO_WRITE_ERROR
+        PYBLOCKING_IO_LOOKUP_ERROR: Any = BLOCKING_IO_READ_ERROR
+    else:
+        # just make them the same as SSL so imports won't error
+        PYSSLError = _ssl.SSLError
+        PYBLOCKING_IO_ERRORS = _ssl.BLOCKING_IO_ERRORS
+        PYBLOCKING_IO_READ_ERROR = _ssl.BLOCKING_IO_READ_ERROR
+        PYBLOCKING_IO_WRITE_ERROR = _ssl.BLOCKING_IO_WRITE_ERROR
+        PYBLOCKING_IO_LOOKUP_ERROR = BLOCKING_IO_READ_ERROR
+
     def get_ssl_context(
         certfile: Optional[str],
         passphrase: Optional[str],
@@ -65,10 +82,15 @@ def get_ssl_context(
         allow_invalid_certificates: bool,
         allow_invalid_hostnames: bool,
         disable_ocsp_endpoint_check: bool,
-    ) -> _ssl.SSLContext:
+        is_sync: bool,
+    ) -> Union[_pyssl.SSLContext, _ssl.SSLContext]:  # type: ignore[name-defined]
         """Create and return an SSLContext object."""
+        if is_sync and HAVE_PYSSL:
+            ssl_in_use: types.ModuleType = _pyssl
+        else:
+            ssl_in_use = _ssl
         verify_mode = CERT_NONE if allow_invalid_certificates else CERT_REQUIRED
-        ctx = _ssl.SSLContext(_ssl.PROTOCOL_SSLv23)
+        ctx = ssl_in_use.SSLContext(ssl_in_use.PROTOCOL_SSLv23)
         if verify_mode != CERT_NONE:
             ctx.check_hostname = not allow_invalid_hostnames
         else:
@@ -80,22 +102,20 @@ def get_ssl_context(
             # up to date versions of MongoDB 2.4 and above already disable
             # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7
             # and >= 3.3.4 and SSLv3 in >= 3.4.3.
-            ctx.options |= _ssl.OP_NO_SSLv2
-            ctx.options |= _ssl.OP_NO_SSLv3
-            ctx.options |= _ssl.OP_NO_COMPRESSION
-            ctx.options |= _ssl.OP_NO_RENEGOTIATION
+            ctx.options |= ssl_in_use.OP_NO_SSLv2
+            ctx.options |= ssl_in_use.OP_NO_SSLv3
+            ctx.options |= ssl_in_use.OP_NO_COMPRESSION
+            ctx.options |= ssl_in_use.OP_NO_RENEGOTIATION
         if certfile is not None:
             try:
                 ctx.load_cert_chain(certfile, None, passphrase)
-            except _ssl.SSLError as exc:
+            except ssl_in_use.SSLError as exc:
                 raise ConfigurationError(f"Private key doesn't match certificate: {exc}") from None
         if crlfile is not None:
-            if _ssl.IS_PYOPENSSL:
+            if ssl_in_use.IS_PYOPENSSL:
                 raise ConfigurationError("tlsCRLFile cannot be used with PyOpenSSL")
             # Match the server's behavior.
-            ctx.verify_flags = getattr(  # type:ignore[attr-defined]
-                _ssl, "VERIFY_CRL_CHECK_LEAF", 0
-            )
+            ctx.verify_flags = getattr(ssl_in_use, "VERIFY_CRL_CHECK_LEAF", 0)
             ctx.load_verify_locations(crlfile)
         if ca_certs is not None:
             ctx.load_verify_locations(ca_certs)

pymongo/synchronous/encryption.py

@@ -80,7 +80,7 @@
 )
 from pymongo.read_concern import ReadConcern
 from pymongo.results import BulkWriteResult, DeleteResult
-from pymongo.ssl_support import BLOCKING_IO_ERRORS, get_ssl_context
+from pymongo.ssl_support import BLOCKING_IO_ERRORS, PYBLOCKING_IO_ERRORS, get_ssl_context
 from pymongo.synchronous.collection import Collection
 from pymongo.synchronous.cursor import Cursor
 from pymongo.synchronous.database import Database
@@ -179,6 +179,7 @@ def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
                 False,  # allow_invalid_certificates
                 False,  # allow_invalid_hostnames
                 False,  # disable_ocsp_endpoint_check
+                _IS_SYNC,
             )
         # CSOT: set timeout for socket creation.
         connect_timeout = max(_csot.clamp_remaining(_KMS_CONNECT_TIMEOUT), 0.001)
@@ -214,7 +215,7 @@ def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
                 raise  # Propagate MongoCryptError errors directly.
             except Exception as exc:
                 # Wrap I/O errors in PyMongo exceptions.
-                if isinstance(exc, BLOCKING_IO_ERRORS):
+                if isinstance(exc, (BLOCKING_IO_ERRORS, PYBLOCKING_IO_ERRORS)):
                     exc = socket.timeout("timed out")
                 # Async raises an OSError instead of returning empty bytes.
                 if isinstance(exc, OSError):
@@ -667,6 +668,7 @@ def __init__(
             key_vault_namespace,
             kms_tls_options=kms_tls_options,
             key_expiration_ms=key_expiration_ms,
+            is_sync=_IS_SYNC,
         )
         self._io_callbacks: Optional[_EncryptionIO] = _EncryptionIO(
             None, key_vault_coll, None, opts