In ssl.py of Python 2.6.1 we have this code in  SSLSocket.__init__():

            if do_handshake_on_connect:
                timeout = self.gettimeout()
                try:
                    self.settimeout(None)
                    self.do_handshake()
                finally:
                    self.settimeout(timeout)

The problem is, what happens if the remote end (server) is hanging when
do_handshake() is called?  The result is that the user-requested timeout
will be ignored, and the connection will hang until the TCP socket
timeout expires.

This is easily reproducable with this test code:


import urllib2
urllib2.urlopen("https://localhost:9000/", timeout=2.0)


and running netcat on port 9000, i.e.:

nc -l -p 9000 localhost

If you use "http" instead of "https", the timeout works as expected
(after 2 seconds in this case).

Why not just remove the removal of the timeout.

i believe that the bug lies in bad implementation/backport of feature
from 3.0 patch for issue1251.

see this revision:
http://svn.python.org/view/python/branches/release30-maint/Lib/ssl.py?r1=59339&r2=59340
where the code was added for py3k branch.

the logic behind that code is that when the timeout is zero
(non-blocking socket), but the caller explicitly specifies that they
want to block (which only happens when an application handles
do_handshake by itself), timeout is set to None and reset to zero after
the call.
and this change was made to "better support non-blocking sockets", the
original patch (
http://svn.python.org/view/python/branches/py3k/Lib/ssl.py?view=diff&r1=58996&r2=58997
) did not have this code at all

on the other hand, what the 2.6 version does is not making any sense. i
don't even see how it got to be that way instead of using py3k's
do_handshake with optional "block" parameter - seeing as the change was
made six months later and changed the API anyway

the correct thing to do here is simply

if do_handshake_on_connect:
    self.do_handshake()

without the timeout setting/resetting stuff

This is happening 'in the wild' to me fairly regularly.  Since it's not hanging in python, I can't watchdog/kill the thread it's happening in.  matejcik seems correct on fixing this, there's no need to unset the timeout here.

I believe this issue may be responsible for causing a very long hang in my application.  Here's an example of it hanging for 30 minutes.  Yes - minutes. 

[UI] 2010-04-03 11:33:34,209 DEBUG: Communicating with GUI on 127.0.0.1:9095 - timeout 10 seconds
[UI] 2010-04-03 12:03:16,118 ERROR: Error in send_gui_command()!
Traceback (most recent call last):
  File "javaui.pyc", line 72, in send_message
  File "client.pyc", line 506, in send_message_with_params
  File "client.pyc", line 230, in call
  File "client.pyc", line 94, in do_request
  File "httplib.pyc", line 1100, in connect
  File "ssl.pyc", line 350, in wrap_socket
  File "ssl.pyc", line 118, in __init__
  File "ssl.pyc", line 293, in do_handshake
error: [Errno 10053] An established connection was aborted by the software in your host machine

This is Python 2.6.4 on Windows.  (This particular time it happened on a 32-bit Server 2008 system). 

My guess is that after that 30 minute time period, Windows is seeing that the connection is hung and it's just aborting it?

Bill, I think we should move forward with this. Do you agree that removing the timeout dance is the right solution?

Here is a patch, with tests. I also had to rework the asyncore-based test server in test_ssl, and fixed an omission in _ssl.c's do_handshake method.

(works with OpenSSL 0.9.8k and 1.0.0)

New patch fixing test_poplib failures.

Fixed in trunk (r80452) and 2.6 (r80453). Also ported relevant parts to 3.x (one half of the test had to be disabled because or #8524).