This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients alex, cheryl.sabella, christian.heimes, martin.panter, njs, vstinner
Date 2018-01-22.10:17:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1516616233.24.0.467229070634.issue27815@psf.upfronthosting.co.za>
In-reply-to
Content 
You have to tell OpenSSL that a hard-close is expected and fine. If you just SSL_free() the SSL connection, then OpenSSL removes the session from the SSL_CTX's session cache. It assumes that something went wrong and defaults to secure defaults. "Wrong" doesn't necessarily mean that an attacker has compromised a connection.

In order to flag a session as valid, you have to SSL_set_quiet_shutdown(ssl, 1), SSL_shutdown(ssl), SSL_free(ss). With quiet shutdown set, SSL_shutdown() neither sends nor waits for any data.

One-way shutdown with non-blocking trick is evil. Cool hack :)

 SSLSocket and SSLObject should really support different shutdown modes, e.g. s.shutdown(mode=0) for quiet, mode=1 for unidirectional and mode=2 for bidirectional.
History
Date User Action Args
2018-01-22 10:17:13christian.heimessetrecipients: + christian.heimes, vstinner, alex, njs, martin.panter, cheryl.sabella
2018-01-22 10:17:13christian.heimessetmessageid: <1516616233.24.0.467229070634.issue27815@psf.upfronthosting.co.za>
2018-01-22 10:17:13christian.heimeslinkissue27815 messages
2018-01-22 10:17:13christian.heimescreate