Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32k
Description
Bug report
Bug description:
Hi,
There appears to be an issue either in the asyncio SSL code when upgrading a connection withstart_tls or in the function_ssl__SSLSocket_read_impl, starting from OpenSSL 3.2.
The following code works fine with OpenSSL 3.1.4 but fails with OpenSSL 3.2.0 when TLS 1.3 is used. I’ve tested multiple combinations of OpenSSL and Python versions, and the issue seems to lie either in OpenSSL or Python. I’m unsure whether to report this here or on the OpenSSL GitHub, but it does appear to be a bug.
Starting with OpenSSL 3.2, the following exception is raised:ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:2576)
This issue is caused bySSL_read_ex returningSSL_ERROR_SYSCALL after successfully reading the HTTP response body. From my observations,errno is0 at the time of the error.
The OpenSSL 1.1.1 documentation (SSL_get_error) suggests this behavior should not occur in modern versions of OpenSSL. If I understand correctly, this could also be a regression introduced in OpenSSL 3.2.
The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected EOF from the peer. This will be properly reported as SSL_ERROR_SSL with reason code SSL_R_UNEXPECTED_EOF_WHILE_READING in the OpenSSL 3.0 release because it is truly a TLS protocol error to terminate the connection without a SSL_shutdown().The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications which choose to ignore this protocol error depend on the existing way of reporting the error.I’m not sure if this is a bug in Python or OpenSSL, but it seems likely to become a problem once more systems upgrade to OpenSSL 3.2.
Here's the minimal reproducible sample code:
importasyncioimportsslclassHttpProxyClient:def__init__(self,proxy_host,proxy_port,target_host,target_port):self.proxy_host=proxy_hostself.proxy_port=proxy_portself.target_host=target_hostself.target_port=target_portasyncdefconnect(self):reader,writer=awaitasyncio.open_connection(self.proxy_host,self.proxy_port)connect_request= (f"CONNECT{self.target_host}:{self.target_port} HTTP/1.1\r\n"f"Host:{self.target_host}:{self.target_port}\r\n"f"Proxy-Connection: keep-alive\r\n\r\n" )writer.write(connect_request.encode())awaitwriter.drain()response=awaitreader.read(4096)ifb'200 Connection established'notinresponse:writer.close()awaitwriter.wait_closed()raiseException("Failed to establish connection with the proxy.")ctx=ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH )# Disable checks for docker test containerctx.check_hostname=Falsectx.verify_mode=ssl.CERT_NONE# Disable tls1.3: this fixes the issue with openssl 3.2+# ctx.options |= ssl.OP_NO_TLSv1_3# Disable everything except tls1.3: this causes a crash with openssl 3.2+ctx.options|=ssl.OP_NO_TLSv1_2|ssl.OP_NO_TLSv1_1|ssl.OP_NO_TLSv1|ssl.OP_NO_SSLv2|ssl.OP_NO_SSLv3awaitwriter.start_tls(ctx)print("Upgraded to SSL/TLS")returnreader,writerasyncdefrun(self):http_request= (f"GET / HTTP/1.1\r\n"f"Host:{self.target_host}\r\n"f"Accept: */*\r\n"f"Connection: close\r\n\r\n" )try:reader,writer=awaitself.connect()writer.write(http_request.encode())awaitwriter.drain()whilenotreader.at_eof():response=awaitreader.read(4096)print(response.decode())writer.close()awaitwriter.wait_closed()exceptExceptionase:raiseasyncdefmain():proxy_host="localhost"proxy_port=9001target_host="google.com"target_port=443client=HttpProxyClient(proxy_host,proxy_port,target_host,target_port)awaitclient.run()asyncio.run(main())
CPython versions tested on:
3.10, 3.11, 3.12, 3.13, 3.14
Operating systems tested on:
Linux