Pass default SSLContext instances to Octoprint custom HTTP sessions

[vexofp]

Proposed change

This PR restores the use of the default Home Assistant SSLContext instances in the Octoprint integration. In #90001, a switch was made to use custom HTTP sessions. These sessions are currently creating their own SSL contexts. Using different contexts can lead to inconsistent request failures, due to different SSL configurations being used for different requests (which is how I discovered this).

Currently, we pass ssl=None/False when creating the custom aiohttp.TCPConnector, which causes it to create its own context with or without verification, respectively. Instead, this PR passes in the appropriately configured default Home Assistant SSLContext instance from get_default_context() or get_default_no_verify_context(), respectively.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes Octoprint integration does not use default SSLContext instances #105350
• This PR is related to issue:
• Link to documentation pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
• Untested files have been added to .coveragerc.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @rfleming71, mind taking a look at this pull request as it has been labeled with an integration (octoprint) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of octoprint can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign octoprint Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the pull request.

[vexofp]

No test case currently, as I could not think of a clean way to write one for this. Happy to add if anyone has a good idea how to go about it.

[edenhaus]

Using different contexts can lead to inconsistent request failures, due to different SSL configurations being used for different requests (which is how I discovered this).

Can you please explain this further? When are different requests using different SSL configurations?

[vexofp]

Can you please explain this further? When are different requests using different SSL configurations?

Sure.

Since #90001, the Octoprint integration is creating its own aiohttp session. When doing so, it is passing ssl=False or None, which causes aiohttp to create a new SSLContext for that session, and configure it per its own defaults.

Most other parts of Home Assistant, such as the REST integration, use the shared "default" HTTP sessions (aiohttp_client.async_get_clientsession() or httpx_client.get_async_client()) which in turn used the shared SSLContext (get_default_context() and get_default_no_verify_context()).

An SSLContext controls the various TLS configuration options, such as allowed protocol options, cipher suites, trusted certificate authorities, and client authentication certificates. So any time you have two different contexts, with potentially two different configurations, it is possible that those differences could cause a connection using one to succeed while the other fails. When this happens inside a single application, it can be very confusing why some requests are succeeding and others are failing.

Concretely, the way that Home Assistant configures its contexts is similar to what aiohttp currently does, but not identical. (And this could diverge further at any point in time, since we have no control over their default configuration.) In particular, when setting which certificate authorities to trust, Home Assistant honors the REQUESTS_CA_BUNDLE environment variable, and falls back to using certifi. aiohttp, on the other hand, just uses the OS-default authorities.

Thus, the Octoprint integration may fail to make a TLS connection while the REST integration succeeds for the same server, or vice versa. This happens when the user has set REQUESTS_CA_BUNDLE with a bundle that trusts the server, but the OS-default does not. Or when the server's certificate is trusted by the OS-default list, but not certifi. Etc.

The best way to ensure consistent behavior is to try to use the same contexts everywhere.

Re-using contexts also has performance benefits. The context is the container for various caches such as TLS session identifiers/tickets, which enable faster and more efficient reconnections. And of course, slightly less memory usage.

[MartinHjelmare]

Looks good!

[edenhaus]

Thanks @vexofp 👍

[bdraco]

tagged for 2024.1.6 because this fixes the mypy failure seen in #109028