Title: ssl unwrap fails with Error 0
Type: behavior Stage:
Components: None Versions: Python 3.1, Python 3.2, Python 2.7
Status: closed Resolution: wont fix
Dependencies: Superseder:
Assigned To: pitrou Nosy List: apollo13, frispete, georg.brandl, giampaolo.rodola, martin.panter, pitrou
Priority: normal Keywords:

Created on 2011-01-02 19:52 by apollo13, last changed 2016-09-18 04:41 by martin.panter. This issue is now closed.

File name Uploaded Description Edit apollo13, 2011-01-02 19:52
Messages (6)
msg125081 - (view) Author: Florian Apolloner (apollo13) Date: 2011-01-02 19:52
If I use the server code in the attachment I get this error in unwrap:

Traceback (most recent call last):
  File "", line 23, in <module>
  File "", line 13, in deal_with_client
    s = connstream.unwrap()
  File "/usr/lib/python3.1/", line 302, in unwrap
    s = self._sslobj.shutdown()
socket.error: [Errno 0] Error

This error message is imo far from optiomal as it gives no clue whatsoever. My Openssl version is: 'OpenSSL 0.9.8o 01 Jun 2010'. Aside from that connstream.close() doesn't close the underlying socket (as seen in Reproduceable with py2.6 and 2.7). The only way to properly close the connection now is:

connstream.close(); newsocket.close()
del newsocket; connstream.close()
Maybe the docs should point that out more prominent.

If you need more info just tell me.
msg125673 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-01-07 18:23
As we discussed on IRC, there are two things here:

- unwrap() can give an error because it tries to shutdown the SSL layer cleanly, and the other side doesn't support it or is already closed; unwrap() is useful mostly if you plan to use the clear-text layer afterwards, otherwise you can just call shutdown(socket.SHUT_RDWR) and then close()

- the error message and errnos are totally bogus, but I'm afraid that's because of OpenSSL giving us this information.
msg125679 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2011-01-07 18:48
"This information" being no information, is that really all you can get out of OpenSSL?
msg125681 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-01-07 18:50
> "This information" being no information, is that really all you can get out of OpenSSL?

Well the situation as the same as a system call which would return
failure but leave errno 0 (except that OpenSSL has its own
OpenSSL's error reporting is unfortunately poorly if at all documented,
and I don't know what to do here.
msg265185 - (view) Author: Hans-Peter Jansen (frispete) * Date: 2016-05-09 09:30
Poor old bug.

Just being bitten from it today, while trying to package pyftpdlib on the openSUSE build service, which creates a clean reproducible build environment for all packages, and testing fails.

Part of the game: openssl 1.0.1k, Python 2.7.8

It happens reproducible for i586 only, but not for x86_64, with all the same versions, and not with a local (much faster) build host.

So it is smells like a timing problem.

[   97s] ERROR: test_nlst (test_functional_ssl.TestFtpListingCmdsTLSMixin)
[   97s] ----------------------------------------------------------------------
[   97s] Traceback (most recent call last):
[   97s]   File "/home/abuild/rpmbuild/BUILD/pyftpdlib-1.5.1/pyftpdlib/test/", line 139, in test_nlst
[   97s]     super(TestFtpListingCmdsTLSMixin, self).test_nlst()
[   97s]   File "/home/abuild/.local/lib/python2.7/site-packages/pyftpdlib-1.5.1-py2.7.egg/pyftpdlib/test/", line 1187, in test_nlst
[   97s]     self._test_listing_cmds('nlst')
[   97s]   File "/home/abuild/.local/lib/python2.7/site-packages/pyftpdlib-1.5.1-py2.7.egg/pyftpdlib/test/", line 1180, in _test_listing_cmds
[   97s]     self.client.retrlines('%s %s' % (cmd, tempdir), x.append)
[   97s]   File "/usr/lib/python2.7/", line 735, in retrlines
[   97s]     conn.unwrap()
[   97s]   File "/usr/lib/python2.7/", line 289, in unwrap
[   97s]     s = self._sslobj.shutdown()
[   97s] error: [Errno 0] Error
msg276870 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-09-18 04:41
I understand this condition happens when the local end calls unwrap(), but the low-level socket connection has already been shut down from the remote end. If the remote is too slow, I get ConnectionResetError instead.

There is some discussion of this at <>. I tend to agree with Antoine that unfortunately there is not much Python can do without help from Open SSL. I.e. can we rely on SSL_shutdown() always setting errno = 0 to indicate Python should raise SSLEOFError, or should Open SSL add some new way of indicating this condition?
Date User Action Args
2016-09-18 04:41:17martin.pantersetnosy: + martin.panter
messages: + msg276870
2016-05-09 09:30:02frispetesetnosy: + frispete
messages: + msg265185
2011-05-20 21:14:03giampaolo.rodolasetnosy: + giampaolo.rodola
2011-01-07 18:50:24pitrousetnosy: georg.brandl, pitrou, apollo13
messages: + msg125681
2011-01-07 18:48:32georg.brandlsetnosy: + georg.brandl
messages: + msg125679
2011-01-07 18:23:28pitrousetstatus: open -> closed
versions: + Python 3.2, - Python 2.6
nosy: pitrou, apollo13
messages: + msg125673

resolution: wont fix
2011-01-02 21:24:01georg.brandlsetassignee: pitrou

nosy: + pitrou
2011-01-02 19:52:12apollo13create