SSL verification is skipped even if ssl == True

[huang-ann]

Describe the bug

When I tried to connect host without ssl verification, I learned that I could set ssl as False to skip verification from this doc.

However, I found that ssl verification would be skipped even if I set ssl to True. Since the deprecated verify_ssl worked as I expected, it seems that there are bugs in ssl.

Parameter	True	False	None (default)
ssl	skip	skip	not skip
verify_ssl	not skip	skip	not skip

BTW, I also hope that the bug mentioned in this issue (#4099) could be addressed!

To Reproduce

1. Enter python in terminal to test in interactive mode
2. Use the following script, which is based on the examples in aiohttp doc

import asyncio
import aiohttp

async def main(ssl):
    async with aiohttp.ClientSession() as session:
        async with session.get(url='https://self-signed.badssl.com/', ssl=ssl) as resp:
            print(resp.status)
            print(await resp.text())

asyncio.run(main(True))

Expected behavior

Since the website (https://self-signed.badssl.com/) is self-signed, I expect there are some errors occur. However, it works well. I will provide the logs when ssl == True and ssl == None, which I expect would be the same, in the following.

Logs/tracebacks

1. ssl == True
200
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="shortcut icon" href="/icons/favicon-red.ico"/>
  <link rel="apple-touch-icon" href="/icons/icon-red.png"/>
  <title>self-signed.badssl.com</title>
  <link rel="stylesheet" href="/style.css">
  <style>body { background: red; }</style>
</head>
<body>
<div id="content">
  <h1 style="font-size: 12vw;">
    self-signed.<br>badssl.com
  </h1>
</div>

</body>
</html>

2. ssl == None
Traceback (most recent call last):
  File "/Users/ann.huang/.pyenv/versions/aiqua-intel-backend/lib/python3.9/site-packages/aiohttp/connector.py", line 986, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs)  # type: ignore[return-value]  # noqa
  File "/Users/ann.huang/.pyenv/versions/3.9.6/lib/python3.9/asyncio/base_events.py", line 1081, in create_connection
    transport, protocol = await self._create_connection_transport(
  File "/Users/ann.huang/.pyenv/versions/3.9.6/lib/python3.9/asyncio/base_events.py", line 1111, in _create_connection_transport
    await waiter
  File "/Users/ann.huang/.pyenv/versions/3.9.6/lib/python3.9/asyncio/sslproto.py", line 528, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/Users/ann.huang/.pyenv/versions/3.9.6/lib/python3.9/asyncio/sslproto.py", line 188, in feed_ssldata
    self._sslobj.do_handshake()
  File "/Users/ann.huang/.pyenv/versions/3.9.6/lib/python3.9/ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/ann.huang/.pyenv/versions/3.9.6/lib/python3.9/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/Users/ann.huang/.pyenv/versions/3.9.6/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "<stdin>", line 3, in main
  File "/Users/ann.huang/.pyenv/versions/aiqua-intel-backend/lib/python3.9/site-packages/aiohttp/client.py", line 1138, in __aenter__
    self._resp = await self._coro
  File "/Users/ann.huang/.pyenv/versions/aiqua-intel-backend/lib/python3.9/site-packages/aiohttp/client.py", line 535, in _request
    conn = await self._connector.connect(
  File "/Users/ann.huang/.pyenv/versions/aiqua-intel-backend/lib/python3.9/site-packages/aiohttp/connector.py", line 542, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "/Users/ann.huang/.pyenv/versions/aiqua-intel-backend/lib/python3.9/site-packages/aiohttp/connector.py", line 907, in _create_connection
    _, proto = await self._create_direct_connection(req, traces, timeout)
  File "/Users/ann.huang/.pyenv/versions/aiqua-intel-backend/lib/python3.9/site-packages/aiohttp/connector.py", line 1206, in _create_direct_connection
    raise last_exc
  File "/Users/ann.huang/.pyenv/versions/aiqua-intel-backend/lib/python3.9/site-packages/aiohttp/connector.py", line 1175, in _create_direct_connection
    transp, proto = await self._wrap_create_connection(
  File "/Users/ann.huang/.pyenv/versions/aiqua-intel-backend/lib/python3.9/site-packages/aiohttp/connector.py", line 988, in _wrap_create_connection
    raise ClientConnectorCertificateError(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host self-signed.badssl.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')]

Python Version

3.9.6

aiohttp Version

3.8.1

multidict Version

6.0.2

yarl Version

1.7.2

OS

macOS

Related component

Client

Additional context

No response

Code of Conduct

• I agree to follow the aio-libs Code of Conduct

[Dreamsorcerer]

That documentation doesn't list True as an expected value...

[Dreamsorcerer]

If you want to do something other than the default, then create a custom ssl.SSLContext: https://docs.python.org/3/library/ssl.html#ssl.SSLContext