Skip to content

Commit

Permalink
Fix for problem caused by SSL_WANT_READ or SSL_WANT_WRITE errors.
Browse files Browse the repository at this point in the history
When SSL_WANT_READ or SSL_WANT_WRITE are encountered, it's typical to retry the call but this must be repeated with the exact same arguments. Without this change, openSSL requires that the address of the buffer passed is the same. However, buffers in python can change location in some circumstances which cause the retry to fail.  By add the setting SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, the requirement for the same buffer address is forgiven and the retry has a better chance of success.  See cherrypy/cheroot#245 for discussion.
  • Loading branch information
julianz- committed Jan 28, 2024
1 parent 1508c4b commit 6c1d483
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 18 deletions.
17 changes: 17 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,23 @@ Changelog
Versions are year-based with a strict backward-compatibility policy.
The third digit is only for regressions.

24.1.0 (UNRELEASED)
-------------------

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- ``pyOpenSSL`` now sets ``SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER`` by default, matching CPython's behavior. `#1287 <https://github.com/pyca/pyopenssl/pull/1287>`_.
- The minimum ``cryptography`` version is now 42.0.0.

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^



24.0.0 (2024-01-22)
-------------------

Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ def find_meta(meta):
packages=find_packages(where="src"),
package_dir={"": "src"},
install_requires=[
"cryptography>=41.0.5,<43",
"cryptography>=42.0.0,<43",
],
extras_require={
"test": ["flaky", "pretend", "pytest>=3.0.1"],
Expand Down
25 changes: 9 additions & 16 deletions src/OpenSSL/SSL.py
Original file line number Diff line number Diff line change
Expand Up @@ -163,20 +163,11 @@
DTLS_SERVER_METHOD = 11
DTLS_CLIENT_METHOD = 12

try:
SSL3_VERSION = _lib.SSL3_VERSION
TLS1_VERSION = _lib.TLS1_VERSION
TLS1_1_VERSION = _lib.TLS1_1_VERSION
TLS1_2_VERSION = _lib.TLS1_2_VERSION
TLS1_3_VERSION = _lib.TLS1_3_VERSION
except AttributeError:
# Hardcode constants for cryptography < 3.4, see
# https://github.com/pyca/pyopenssl/pull/985#issuecomment-775186682
SSL3_VERSION = 768
TLS1_VERSION = 769
TLS1_1_VERSION = 770
TLS1_2_VERSION = 771
TLS1_3_VERSION = 772
SSL3_VERSION = _lib.SSL3_VERSION
TLS1_VERSION = _lib.TLS1_VERSION
TLS1_1_VERSION = _lib.TLS1_1_VERSION
TLS1_2_VERSION = _lib.TLS1_2_VERSION
TLS1_3_VERSION = _lib.TLS1_3_VERSION

OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2
OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3
Expand Down Expand Up @@ -864,8 +855,10 @@ def __init__(self, method):
self._ocsp_data = None
self._cookie_generate_helper = None
self._cookie_verify_helper = None

self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)
self.set_mode(
_lib.SSL_MODE_ENABLE_PARTIAL_WRITE
| _lib.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
)
if version is not None:
self.set_min_proto_version(version)
self.set_max_proto_version(version)
Expand Down
2 changes: 1 addition & 1 deletion tox.ini
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ extras =
test
deps =
coverage>=4.2
cryptographyMinimum: cryptography==41.0.5
cryptographyMinimum: cryptography==42.0.0
randomorder: pytest-randomly
setenv =
# Do not allow the executing environment to pollute the test environment
Expand Down

0 comments on commit 6c1d483

Please sign in to comment.