This:

import socket, ssl

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s)
ssl_sock.connect(('www.verisign.com', 443))
ssl_sock.close()
ssl_sock.read(1024)

raises:

Traceback (most recent call last):
  File "/tmp/bug.py", line 10, in <module>
    ssl_sock.read(1024)
  File "/path/to/lib/python2.7/ssl.py", line 138, in read
    return self._sslobj.read(len)
AttributeError: 'NoneType' object has no attribute 'read'


I would expect a socket.error instead, which mimics the way regular sockets behave. Indeed, this code:

import socket, ssl

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('www.verisign.com', 80))
s.close()
s.recv(1024)

raises:

Traceback (most recent call last):
  File "/tmp/bug.py", line 6, in <module>
    s.recv(1024)
  File "/path/to/lib/python2.7/socket.py", line 170, in _dummy
    raise error(EBADF, 'Bad file descriptor')
socket.error: [Errno 9] Bad file descriptor


I've tested on the latest trunks on both 2.7 and 3.2. I've also tested on 2.6 and 3.1.

I can write a patch that fixes it if the bug is accepted.

I don't think mimicking EBADF is very useful. Reading from a closed socket is usually a programming error, so it's not the kind of error you'll want to catch at runtime.

AttributeError may not be very pretty though, so perhaps a ValueError can be raised as with closed files:

>>> f = open("LICENSE")
>>> f.close()
>>> f.read()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: I/O operation on closed file.

Here's a patch that adds checks and ValueError raises to SSLSocket.read and SSLSocket.write.

My first attempt was to add the check to _checkClosed to mirror the IOBase._checkClosed, but in SSLSocket its semantics are different (the idea is for the subclass to add custom checks if needed), and it's called from a lot of places that do gracefully handle closed sockets.

So I opted to add it manually to only the read and write methods (which allowed for more specific error messages).

Thanks for the patch, I will take a look.

ssl-socket-readwrite-after-close.diff: instead of testing "not self._sslobj", I would prefer an explicit "self._sslobj is None".

The check should be moved into the _checkClosed() method. Example:

def _checkClosed(self):
    io.RawIOBase._checkClosed(self)
    if self._sslobj is None:
        raise ValueError("I/O operation on closed SSL socket")

Oops, remove "io.RawIOBase._checkClosed(self)" from my example (I read socket.py at the same time, SSLSocket inherits from socket, not from RawIOBase).

New changeset eda7e86bf03c by Antoine Pitrou in branch 'default':
Issue #9177: Calling read() or write() now raises ValueError, not AttributeError, on a closed SSL socket.
http://hg.python.org/cpython/rev/eda7e86bf03c

Ok, I tweaked the error message a bit: _sslobj can also be None when unwrap() has been called on the socket.
Thank you for contribution!