New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Neither DTLS nor error for SSLSocket.sendto() of UDP socket #63621
Comments
Python's SSL module doesn't support DTLS (datagram TLS for UDP). The SSL code doesn't complain when an UDP socket is wrapped in a SSL socket. It happily sends the bytes unprotected and not encrypted over the wire: >>> import ssl, socket
>>> sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
>>> ssock = ssl.wrap_socket(sock)
>>> ssock.sendto(b"data", ("localhost", 12345))
4 TCP sockets at least complain that the connection hasn't been established yet. >>> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>> ssock = ssl.wrap_socket(sock)
>>> ssock.sendto(b"data", ("localhost", 12345))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 517, in sendto
return socket.sendto(self, data, flags_or_addr)
BrokenPipeError: [Errno 32] Broken pipe |
I think either sendto() or wrap_socket() should raise some kind of error for UDP instead of silently sending unencrypted data. |
Agreed, this should definitely be fixed. |
Attached the patch to raise error when using sock dgram in wrap_socket. I am still unsure whether I should put the validation in C code (private function _wrap_socket) or not. |
Thanks, Antoine, for the review! Attached the patch to address Antoine's concern. |
Actually, it seems the patch is flawed: >>> sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
>>> sock.type
2
>>> sock.settimeout(0)
>>> sock.type
2050 But getsockopt() returns the expected value: >>> sock.getsockopt(socket.SOL_SOCKET, socket.SO_TYPE)
2 |
New changeset a00842b783cf by Antoine Pitrou in branch '3.3': New changeset f7dc02e6987a by Antoine Pitrou in branch 'default': |
New changeset 44841d81bf14 by Antoine Pitrou in branch '2.7': |
Updated patch is stricter (it checks for SOCK_STREAM). Pushed! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: