[New-bugs-announce] [issue43794] OpenSSL 3.0.0: Handle UNEXPECTED_EOF_WHILE_READING / wrap SSL_OP_IGNORE_UNEXPECTED_EOF

Christian Heimes report at bugs.python.org
Fri Apr 9 10:13:11 EDT 2021

New submission from Christian Heimes <lists at cheimes.de>:

OpenSSL 3.0.0 state machine handles unexpected EOFs more strict and requires peers to properly shut down connections. The old OpenSSL 1.1.1 behavior can be get back with SSL_OP_IGNORE_UNEXPECTED_EOF.

I propose to add the option by default until Python's ssl module has better ways to perform one-way shutdown of connections.


> Some TLS implementations do not send the mandatory close_notify alert on shutdown. If the application tries to wait for the close_notify alert but the peer closes the connection without sending it, an error is generated. When this option is enabled the peer does not need to send the close_notify alert and a closed connection will be treated as if the close_notify alert was received.

> You should only enable this option if the protocol running over TLS can detect a truncation attack itself, and that the application is checking for that truncation attack.

assignee: christian.heimes
components: SSL
messages: 390632
nosy: christian.heimes
priority: normal
severity: normal
status: open
type: behavior
versions: Python 3.10, Python 3.8, Python 3.9

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list