New submission from Christian Heimes <li...@cheimes.de>:
OpenSSL 3.0.0 state machine handles unexpected EOFs more strict and requires peers to properly shut down connections. The old OpenSSL 1.1.1 behavior can be get back with SSL_OP_IGNORE_UNEXPECTED_EOF. I propose to add the option by default until Python's ssl module has better ways to perform one-way shutdown of connections. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html > Some TLS implementations do not send the mandatory close_notify alert on > shutdown. If the application tries to wait for the close_notify alert but the > peer closes the connection without sending it, an error is generated. When > this option is enabled the peer does not need to send the close_notify alert > and a closed connection will be treated as if the close_notify alert was > received. > You should only enable this option if the protocol running over TLS can > detect a truncation attack itself, and that the application is checking for > that truncation attack. ---------- assignee: christian.heimes components: SSL messages: 390632 nosy: christian.heimes priority: normal severity: normal status: open title: OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF type: behavior versions: Python 3.10, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43794> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
