[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[Alex Grönholm]

Alex Grönholm  added the comment:

OpenSSL 1.1.1 also handled EOFs strictly, but this behavior was generally 
suppressed in the ssl module through the default setting of 
suppress_ragged_eofs=True (thus enabling truncation attacks by default). The PR 
changes the behavior of existing applications in such a way that previously 
detectable unexpected EOFs are now no longer detectable by default. To make 
matters worse, EOF errors are not translated to SSLEOFError anymore, and 
instead I have to match the strerror attribute in SSLError to detect this 
condition.

--
nosy: +alex.gronholm

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[Christian Heimes]

New submission from Christian Heimes :

OpenSSL 3.0.0 state machine handles unexpected EOFs more strict and requires 
peers to properly shut down connections. The old OpenSSL 1.1.1 behavior can be 
get back with SSL_OP_IGNORE_UNEXPECTED_EOF.

I propose to add the option by default until Python's ssl module has better 
ways to perform one-way shutdown of connections.

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html

> Some TLS implementations do not send the mandatory close_notify alert on 
> shutdown. If the application tries to wait for the close_notify alert but the 
> peer closes the connection without sending it, an error is generated. When 
> this option is enabled the peer does not need to send the close_notify alert 
> and a closed connection will be treated as if the close_notify alert was 
> received.

> You should only enable this option if the protocol running over TLS can 
> detect a truncation attack itself, and that the application is checking for 
> that truncation attack.

--
assignee: christian.heimes
components: SSL
messages: 390632
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap 
SSL_OP_IGNORE_UNEXPECTED_EOF
type: behavior
versions: Python 3.10, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[Christian Heimes]

Change by Christian Heimes :


--
keywords: +patch
pull_requests: +24044
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/25309

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[miss-islington]

Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 1.0 -> 2.0
pull_requests: +24048
pull_request: https://github.com/python/cpython/pull/25313

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[Christian Heimes]

Christian Heimes  added the comment:


New changeset 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372 by Christian Heimes in 
branch 'master':
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
https://github.com/python/cpython/commit/6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[miss-islington]

Change by miss-islington :


--
pull_requests: +24049
pull_request: https://github.com/python/cpython/pull/25314

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[miss-islington]

miss-islington  added the comment:


New changeset e18ebd9ec546a3647a57c282735350f60a26d66d by Miss Islington (bot) 
in branch '3.8':
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
https://github.com/python/cpython/commit/e18ebd9ec546a3647a57c282735350f60a26d66d


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[miss-islington]

miss-islington  added the comment:


New changeset 54d89a33e0d1b854fd5a72889d6554aeeb4170f0 by Miss Islington (bot) 
in branch '3.9':
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
https://github.com/python/cpython/commit/54d89a33e0d1b854fd5a72889d6554aeeb4170f0


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

[Christian Heimes]

Christian Heimes  added the comment:

I have updated whatsnew in GH-25817.

--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com