[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-10 Thread Christian Heimes
Christian Heimes added the comment: That's not how OSS work. Python core development does not have resources to provide proactive support for all Linux distros in the world. We provide documentation and guidance. I assume that paid package maintainers of a commercial Linux vendor perform the

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-10 Thread Christian Heimes
Change by Christian Heimes : -- nosy: -christian.heimes ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-10 Thread Alex Grönholm
Alex Grönholm added the comment: I just noticed that Ubuntu 22.04 LTS also uses OpenSSL 3 with their Python builds. I hope somebody has told them too about the state of affairs. -- ___ Python tracker ___

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-09 Thread Alex Grönholm
Alex Grönholm added the comment: Good to see that this is being handled. I could try to write a patch to do what I suggested above, if you're willing to review it. -- ___ Python tracker _

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-09 Thread Christian Heimes
Christian Heimes added the comment: Petr and Charis are aware that there are issues with OpenSSL 3.0 support. RHEL 9 FIPS support is broken as well. It's also documented in the release notes and I just wrote an email to python-dev, too. -- ___ Pyt

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-09 Thread Alex Grönholm
Alex Grönholm added the comment: I hope the Fedora maintainers/packagers know this because on Rawhide, Python is being compiled against OpenSSL 3 (which is how we discovered the problem). F36 is due out in a little over 3 months. -- ___ Python trac

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-09 Thread Christian Heimes
Christian Heimes added the comment: This is not a security issue because OpenSSL 3.0.0 is not officially supported yet. OpenSSL 3.0.0 support is prelimiary, experimental, and provisional. >From https://docs.python.org/3/whatsnew/3.10.html#ssl > The ssl module has preliminary support for Open

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-09 Thread Alex Grönholm
Alex Grönholm added the comment: This is a security issue because it exposes users to TLS truncation attacks that weren't possible before because such attempts would raise SSLEOFError. -- ___ Python tracker

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-09 Thread Christian Heimes
Change by Christian Heimes : -- assignee: christian.heimes -> type: security -> behavior ___ Python tracker ___ ___ Python-bugs-lis

[issue46313] SSLObject does not raise SSLEOFError on OpenSSL 3

2022-01-09 Thread Alex Grönholm
New submission from Alex Grönholm : PR #25309 (https://github.com/python/cpython/pull/25309) changed OpenSSL behavior so that it ignores unexpected EOFs by default. This was detected by the test suites of both trio and AnyIO when running on OpenSSL 3. We worked around the problem by explicitly