Issue 19422: Neither DTLS nor error for SSLSocket.sendto() of UDP socket (original) (raw)
Created on 2013-10-28 12:56 by christian.heimes, last changed 2022-04-11 14:57 by admin. This issue is now closed.
Messages (9)
Author: Christian Heimes (christian.heimes) * 
Date: 2013-10-28 12:56
Python's SSL module doesn't support DTLS (datagram TLS for UDP). The SSL code doesn't complain when an UDP socket is wrapped in a SSL socket. It happily sends the bytes unprotected and not encrypted over the wire:
import ssl, socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ssock = ssl.wrap_socket(sock) ssock.sendto(b"data", ("localhost", 12345)) 4
TCP sockets at least complain that the connection hasn't been established yet.
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssock = ssl.wrap_socket(sock) ssock.sendto(b"data", ("localhost", 12345)) Traceback (most recent call last): File "", line 1, in File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 517, in sendto return socket.sendto(self, data, flags_or_addr) BrokenPipeError: [Errno 32] Broken pipe
Author: Christian Heimes (christian.heimes) *
Date: 2013-10-28 12:58
I think either sendto() or wrap_socket() should raise some kind of error for UDP instead of silently sending unencrypted data.
Author: Antoine Pitrou (pitrou) *
Date: 2013-10-28 13:23
Agreed, this should definitely be fixed.
Author: Vajrasky Kok (vajrasky) *
Date: 2013-11-04 08:34
Attached the patch to raise error when using sock dgram in wrap_socket.
I am still unsure whether I should put the validation in C code (private function _wrap_socket) or not.
Author: Vajrasky Kok (vajrasky) *
Date: 2013-12-23 02:31
Thanks, Antoine, for the review! Attached the patch to address Antoine's concern.
Author: Antoine Pitrou (pitrou) *
Date: 2013-12-28 16:13
Actually, it seems the patch is flawed:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.type 2 sock.settimeout(0) sock.type 2050
But getsockopt() returns the expected value:
sock.getsockopt(socket.SOL_SOCKET, socket.SO_TYPE) 2
Author: Roundup Robot (python-dev) 
Date: 2013-12-28 16:31
New changeset a00842b783cf by Antoine Pitrou in branch '3.3': Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. http://hg.python.org/cpython/rev/a00842b783cf
New changeset f7dc02e6987a by Antoine Pitrou in branch 'default': Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. http://hg.python.org/cpython/rev/f7dc02e6987a
Author: Roundup Robot (python-dev)
Date: 2013-12-28 16:35
New changeset 44841d81bf14 by Antoine Pitrou in branch '2.7': Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data. http://hg.python.org/cpython/rev/44841d81bf14
Author: Antoine Pitrou (pitrou) *
Date: 2013-12-28 16:36
Updated patch is stricter (it checks for SOCK_STREAM). Pushed!
History
Date
User
Action
Args
2022-04-11 14:57:52
admin
set
github: 63621
2013-12-28 16:36:28
pitrou
set
status: open -> closed
resolution: fixed
messages: +
stage: needs patch -> resolved
2013-12-28 16:35:21
python-dev
set
messages: +
2013-12-28 16:31:01
python-dev
set
nosy: + python-dev
messages: +
2013-12-28 16:13:59
pitrou
set
messages: +
2013-12-23 02:31:31
vajrasky
set
files: + raises_error_on_wrap_socket_with_sock_dgram_v2.patch
messages: +
2013-11-04 08:34:11
vajrasky
set
files: + raises_error_on_wrap_socket_with_sock_dgram.patch
nosy: + vajrasky
messages: +
keywords: + patch
2013-10-28 13:23:23
pitrou
set
messages: +
components: + Library (Lib), - Extension Modules
stage: needs patch
2013-10-28 12:58:33
christian.heimes
set
nosy: + janssen, pitrou, giampaolo.rodola
messages: +
2013-10-28 12:56:51
christian.heimes
create