➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2013-08-29 21:36 by zielmicha, last changed 2022-04-11 14:57 by admin.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| ssl-shutdown-fail.patch | zielmicha, 2013-08-29 21:36 | review | ||
| Messages (6) | |||
|---|---|---|---|
| msg196494 - (view) | Author: Michał Zieliński (zielmicha) | Date: 2013-08-29 21:36 | |
SSLSocket documentation mentions shutdown as analogue to socket.shutdown. However, instead of forbidding communication, it removes SSL wrapper from socket. For example, the following script doesn't work and returns garbage:
import socket
import ssl
s = socket.socket()
s.connect(('google.com', 443))
client = ssl.wrap_socket(s)
client.sendall(b'GET / HTTP/1.0\nConnection: close\n\n')
client.shutdown(socket.SHUT_WR)
print(repr(client.recv(40)))
Attached patch makes shutdown raise exception if how != SHUT_RDWR, as closing one side of socket over SSL doesn't make sense (unless I'm missing something).
|
|||
| msg272351 - (view) | Author: Stéphane Wirtel (matrixise) *  |
Date: 2016-08-10 17:48 | |
Christian, What do you think about this issue ? 1. Fix for 3.5 and 3.6 2. Maybe for 2.7 ? |
|||
| msg277423 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2016-09-26 14:33 | |
Sounds fine, but it's not a security issue. I'm re-targeting the bug for 3.7. |
|||
| msg301389 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-05 22:40 | |
Sounds like a good idea. |
|||
| msg301390 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2017-09-05 22:49 | |
This will needlessly break code which until now accepts both kinds of sockets. By the way, socket.shutdown() doesn't specify that *only* one direction is shut down when using SHUT_RD or SHUT_WR; what is guaranteed is that *at least* the given direction will shut down. But there may be socket types where unidirectional shutdown is not supported and both directions will be shut down. This is (approximately) what SSLSocket does -- though the SSL unwrapping part is a bit unintuitive as well. |
|||
| msg301392 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2017-09-05 22:55 | |
I agree with Antoine. I tried to test your patch and found out that is not compatible with socketserver. The socketserver module shuts down the connection with SHUT_WR. We could either ignore the problem or ignore the how and use SHUT_RDWR in all cases. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:57:50 | admin | set | github: 63080 |
| 2017-09-05 22:55:28 | christian.heimes | set | messages: + msg301392 |
| 2017-09-05 22:49:29 | pitrou | set | nosy:
+ pitrou messages: + msg301390 |
| 2017-09-05 22:40:07 | christian.heimes | set | messages:
+ msg301389 versions: + Python 2.7, Python 3.6 |
| 2016-09-26 14:33:32 | christian.heimes | set | assignee: christian.heimes -> type: security -> behavior versions: + Python 3.7, - Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6 nosy: - giampaolo.rodola messages: + msg277423 stage: patch review |
| 2016-09-15 08:01:19 | christian.heimes | set | components: + SSL |
| 2016-08-17 18:44:02 | ned.deily | set | nosy:
+ janssen, giampaolo.rodola, alex, dstufft versions: + Python 3.6, - Python 2.6, Python 3.1 |
| 2016-08-17 13:33:24 | vstinner | set | type: behavior -> security |
| 2016-08-10 17:48:59 | matrixise | set | assignee: christian.heimes messages: + msg272351 nosy: + christian.heimes, matrixise |
| 2013-08-29 21:36:58 | zielmicha | create | |