Christian Heimes <li...@cheimes.de> added the comment: Before we can disable ragged EOF handling, we first have to fix ssl.SSLSocket()'s shutdown behavior. It should support at least a proper unidirectional shutdown besides the slow bidirectional shutdown. It might even be a good idea to default to unidirectional shutdown. Curl does it, https://github.com/curl/curl/blob/9e4ad1e2af22f00eeca533b745b67956f57319cb/lib/vtls/openssl.c#L1155-L1168
I wrote this in a mail to Cory about PEP 543 two weeks ago: Now to the nasty session and shutdown issue. I discovered it just a couple of weeks ago. We have to revisit TLS socket shutdown in order to make TLS session resumption work. OpenSSL discards and invalidates sessions when a SSL socket isn't properly shut down, e.g. hard-close I/O layer. Simply speaking OpenSSL has four shutdown modes: bidirectional, unidirection, quiet, and hard. Python's ssl module supports slow bidirectional mode and hard mode. * In bidirectional mode, both parties send a "close notify" alert and wait for confirmation. * Unidirectional means that one party just sends a "close notify" alert and then closes the connection. It doesn't wait for ACK. * Quiet shutdown doesn't send anything. It merely sets some internal flags to mark the connection as closed and session as valid * What I call 'hard mode' just kills the I/O layer and frees the SSL*. Sessions are marked as invalid because OpenSSL rightly assumes that something went wrong and the session cannot be reused safely. https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_quiet_shutdown(3) https://wiki.openssl.org/index.php/Manual:SSL_shutdown(3) We need an API to perform some sort of shutdown on __exit__(None, None, None) / close(). ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue27815> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
