This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: SSLObject does not raise SSLEOFError on OpenSSL 3
Type: behavior Stage:
Components: SSL Versions: Python 3.11, Python 3.10, Python 3.9, Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: alex.gronholm, lukasz.langa
Priority: normal Keywords:

Created on 2022-01-09 13:40 by alex.gronholm, last changed 2022-04-11 14:59 by admin.

Messages (8)
msg410146 - (view) Author: Alex Grönholm (alex.gronholm) * Date: 2022-01-09 13:40
PR #25309 (https://github.com/python/cpython/pull/25309) changed OpenSSL behavior so that it ignores unexpected EOFs by default. This was detected by the test suites of both trio and AnyIO when running on OpenSSL 3.

We worked around the problem by explicitly unsetting the SSL_OP_IGNORE_UNEXPECTED_EOF flag and then checking if the "strerror" attribute of SSLError contains the text "UNEXPECTED_EOF_WHILE_READING".

The remedy in the standard library would be twofold:
1. Revert the change of enabling SSL_OP_IGNORE_UNEXPECTED_EOF by default
2. Handle the condition properly so that SSLEOFError is raised instead of the generic SSLError

As SSLSockets ignore SSLEOFError by default, this fix should work fine for those too.
msg410150 - (view) Author: Alex Grönholm (alex.gronholm) * Date: 2022-01-09 14:12
This is a security issue because it exposes users to TLS truncation attacks that weren't possible before because such attempts would raise SSLEOFError.
msg410159 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-01-09 16:49
This is not a security issue because OpenSSL 3.0.0 is not officially supported yet. OpenSSL 3.0.0 support is prelimiary, experimental, and provisional.

From https://docs.python.org/3/whatsnew/3.10.html#ssl

> The ssl module has preliminary support for OpenSSL 3.0.0.
msg410162 - (view) Author: Alex Grönholm (alex.gronholm) * Date: 2022-01-09 19:59
I hope the Fedora maintainers/packagers know this because on Rawhide, Python is being compiled against OpenSSL 3 (which is how we discovered the problem). F36 is due out in a little over 3 months.
msg410164 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-01-09 20:34
Petr and Charis are aware that there are issues with OpenSSL 3.0 support. RHEL 9 FIPS support is broken as well. It's also documented in the release notes and I just wrote an email to python-dev, too.
msg410165 - (view) Author: Alex Grönholm (alex.gronholm) * Date: 2022-01-09 20:35
Good to see that this is being handled. I could try to write a patch to do what I suggested above, if you're willing to review it.
msg410199 - (view) Author: Alex Grönholm (alex.gronholm) * Date: 2022-01-10 11:05
I just noticed that Ubuntu 22.04 LTS also uses OpenSSL 3 with their Python builds. I hope somebody has told them too about the state of affairs.
msg410201 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-01-10 11:26
That's not how OSS work. Python core development does not have resources to provide proactive support for all Linux distros in the world. We provide documentation and guidance. I assume that paid package maintainers of a commercial Linux vendor perform their due diligence, read the release notes, and follow upstream development discussions.

PS: I'm unsubscribing from this bpo now.
History
Date User Action Args
2022-04-11 14:59:54adminsetgithub: 90471
2022-01-10 11:26:36christian.heimessetnosy: - christian.heimes
2022-01-10 11:26:31christian.heimessetmessages: + msg410201
2022-01-10 11:05:11alex.gronholmsetmessages: + msg410199
2022-01-09 20:36:00alex.gronholmsetmessages: + msg410165
2022-01-09 20:34:33christian.heimessetmessages: + msg410164
2022-01-09 19:59:42alex.gronholmsetmessages: + msg410162
2022-01-09 16:49:14christian.heimessetmessages: + msg410159
2022-01-09 14:12:28alex.gronholmsetmessages: + msg410150
2022-01-09 14:11:07christian.heimessetassignee: christian.heimes ->
type: security -> behavior
2022-01-09 13:40:17alex.gronholmcreate