Christian Heimes <li...@cheimes.de> added the comment: You have to tell OpenSSL that a hard-close is expected and fine. If you just SSL_free() the SSL connection, then OpenSSL removes the session from the SSL_CTX's session cache. It assumes that something went wrong and defaults to secure defaults. "Wrong" doesn't necessarily mean that an attacker has compromised a connection.
In order to flag a session as valid, you have to SSL_set_quiet_shutdown(ssl, 1), SSL_shutdown(ssl), SSL_free(ss). With quiet shutdown set, SSL_shutdown() neither sends nor waits for any data. One-way shutdown with non-blocking trick is evil. Cool hack :) SSLSocket and SSLObject should really support different shutdown modes, e.g. s.shutdown(mode=0) for quiet, mode=1 for unidirectional and mode=2 for bidirectional. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue27815> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
