This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Type: behavior Stage: resolved
Components: SSL Versions: Python 3.10, Python 3.9, Python 3.8
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex.gronholm, christian.heimes, miss-islington
Priority: normal Keywords: patch

Created on 2021-04-09 14:13 by christian.heimes, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 25309 merged christian.heimes, 2021-04-09 14:44
PR 25313 merged miss-islington, 2021-04-09 15:59
PR 25314 merged miss-islington, 2021-04-09 15:59
Messages (6)
msg390632 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-09 14:13
OpenSSL 3.0.0 state machine handles unexpected EOFs more strict and requires peers to properly shut down connections. The old OpenSSL 1.1.1 behavior can be get back with SSL_OP_IGNORE_UNEXPECTED_EOF.

I propose to add the option by default until Python's ssl module has better ways to perform one-way shutdown of connections.

> Some TLS implementations do not send the mandatory close_notify alert on shutdown. If the application tries to wait for the close_notify alert but the peer closes the connection without sending it, an error is generated. When this option is enabled the peer does not need to send the close_notify alert and a closed connection will be treated as if the close_notify alert was received.

> You should only enable this option if the protocol running over TLS can detect a truncation attack itself, and that the application is checking for that truncation attack.
msg390640 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-09 15:59
New changeset 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372 by Christian Heimes in branch 'master':
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
msg390642 - (view) Author: miss-islington (miss-islington) Date: 2021-04-09 16:21
New changeset e18ebd9ec546a3647a57c282735350f60a26d66d by Miss Islington (bot) in branch '3.8':
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
msg390643 - (view) Author: miss-islington (miss-islington) Date: 2021-04-09 16:21
New changeset 54d89a33e0d1b854fd5a72889d6554aeeb4170f0 by Miss Islington (bot) in branch '3.9':
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
msg392699 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-05-02 14:07
I have updated whatsnew in GH-25817.
msg408350 - (view) Author: Alex Grönholm (alex.gronholm) * Date: 2021-12-11 23:41
OpenSSL 1.1.1 also handled EOFs strictly, but this behavior was generally suppressed in the ssl module through the default setting of suppress_ragged_eofs=True (thus enabling truncation attacks by default). The PR changes the behavior of existing applications in such a way that previously detectable unexpected EOFs are now no longer detectable by default. To make matters worse, EOF errors are not translated to SSLEOFError anymore, and instead I have to match the strerror attribute in SSLError to detect this condition.
Date User Action Args
2022-04-11 14:59:44adminsetgithub: 87960
2021-12-11 23:41:17alex.gronholmsetnosy: + alex.gronholm
messages: + msg408350
2021-05-02 14:07:05christian.heimessetstatus: open -> closed
resolution: fixed
messages: + msg392699

stage: patch review -> resolved
2021-04-09 16:21:59miss-islingtonsetmessages: + msg390643
2021-04-09 16:21:13miss-islingtonsetmessages: + msg390642
2021-04-09 15:59:39miss-islingtonsetpull_requests: + pull_request24049
2021-04-09 15:59:36christian.heimessetmessages: + msg390640
2021-04-09 15:59:31miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request24048
2021-04-09 15:19:17christian.heimeslinkissue38820 dependencies
2021-04-09 14:44:56christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request24044
2021-04-09 14:13:11christian.heimescreate