Issue 18880: ssl.SSLSocket shutdown doesn't behave like socket.shutdown (original) (raw)

Created on 2013-08-29 21:36 by zielmicha, last changed 2022-04-11 14:57 by admin.

Files
File name Uploaded Description Edit
ssl-shutdown-fail.patch zielmicha,2013-08-29 21:36 review
Messages (6)
msg196494 - (view) Author: Michał Zieliński (zielmicha) Date: 2013-08-29 21:36
SSLSocket documentation mentions shutdown as analogue to socket.shutdown. However, instead of forbidding communication, it removes SSL wrapper from socket. For example, the following script doesn't work and returns garbage: import socket import ssl s = socket.socket() s.connect(('google.com', 443)) client = ssl.wrap_socket(s) client.sendall(b'GET / HTTP/1.0\nConnection: close\n\n') client.shutdown(socket.SHUT_WR) print(repr(client.recv(40))) Attached patch makes shutdown raise exception if how != SHUT_RDWR, as closing one side of socket over SSL doesn't make sense (unless I'm missing something).
msg272351 - (view) Author: Stéphane Wirtel (matrixise) * (Python committer) Date: 2016-08-10 17:48
Christian, What do you think about this issue ? 1. Fix for 3.5 and 3.6 2. Maybe for 2.7 ?
msg277423 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-26 14:33
Sounds fine, but it's not a security issue. I'm re-targeting the bug for 3.7.
msg301389 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-05 22:40
Sounds like a good idea.
msg301390 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2017-09-05 22:49
This will needlessly break code which until now accepts both kinds of sockets. By the way, socket.shutdown() doesn't specify that *only* one direction is shut down when using SHUT_RD or SHUT_WR; what is guaranteed is that *at least* the given direction will shut down. But there may be socket types where unidirectional shutdown is not supported and both directions will be shut down. This is (approximately) what SSLSocket does -- though the SSL unwrapping part is a bit unintuitive as well.
msg301392 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-05 22:55
I agree with Antoine. I tried to test your patch and found out that is not compatible with socketserver. The socketserver module shuts down the connection with SHUT_WR. We could either ignore the problem or ignore the how and use SHUT_RDWR in all cases.
History
Date User Action Args
2022-04-11 14:57:50 admin set github: 63080
2017-09-05 22:55:28 christian.heimes set messages: +
2017-09-05 22:49:29 pitrou set nosy: + pitroumessages: +
2017-09-05 22:40:07 christian.heimes set messages: + versions: + Python 2.7, Python 3.6
2016-09-26 14:33:32 christian.heimes set assignee: christian.heimes -> type: security -> behaviorversions: + Python 3.7, - Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6nosy: - giampaolo.rodolamessages: + stage: patch review
2016-09-15 08:01:19 christian.heimes set components: + SSL
2016-08-17 18:44:02 ned.deily set nosy: + janssen, giampaolo.rodola, alex, dstufftversions: + Python 3.6, - Python 2.6, Python 3.1
2016-08-17 13:33:24 vstinner set type: behavior -> security
2016-08-10 17:48:59 matrixise set assignee: christian.heimesmessages: + nosy: + christian.heimes, matrixise
2013-08-29 21:36:58 zielmicha create