[Cryptography-dev] Integrating pyOpenSSL to asyncio

Heraldo Lucena heraldo.dev at gmail.com
Thu Sep 29 20:57:07 EDT 2022 

Ok I found the issue.

The standard SSL module won't propagate up the SSL_ERROR_ZERO_RETURN when
the TLS connection is shutting down and the application tries to read data,
instead an empty byte string is returned to signal EOF.

Em qui., 29 de set. de 2022 às 20:22, Heraldo Lucena <heraldo.dev at gmail.com>
escreveu:

> I am integrating pyOpenSSL to asyncio by reimplementing the SSLContext
> interface from the Python standard SSL module and all OpenSSL semantics it
> depends on. I choose this path to avoid overriding asyncio's standard event
> loops.
>
> To receive SSL traffic I am copying the incoming ssl.MemoryBIO passed by
> asyncio to SSLContext.wrap_bio() by using Connection.write_bio().
> To send SSL traffic I am copying pyOpenSSL's outgoing BIO witn
> Connection.read_bio() and writing it to asyncio's outgoing ssl.MemoryBIO.
> I always copy the whole content right before Connection.recv() and right
> after Connection.send().
>
> The only issue I have now is that application data is lost (in my case
> HTTP data) when the server sends a TLS close_notify alert right after the
> application data. When testing with aiohttp HTTP library the connection is
> taken as closed before the HTTP response be read. When inspecting the error
> cause aiohttp got SSL.ZeroReturnError from pyOpenSSL which signals TLS
> shutdown was performed on the connection. On Wireshark I also confirmed the
> server sent close_notify right after the HTTP response body.
>
> This issue doesn't happen when the server doesn't send close_notify (the
> HTTP server doesn't close the connection after sending the response).
>
> I also implemented SSLContext.wrap_socket() to test with blocking sockets,
> this issue doesn't happen. I tested with urllib and the requests library,
> in both tests the HTTP response is fully read.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20220929/9dd84852/attachment.html>

More information about the Cryptography-dev mailing list