SSL `socket.shutdown` should not delete the ssl context

[richmans]

cpython/Lib/ssl.py

Line 1342 in 986a4e1

self._sslobj = None

Consider the following very simple http 1.0 client:

import ssl
import socket

c = ssl.create_default_context()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('google.com', 443))
ss = c.wrap_socket(s, server_hostname='google.com')
rq = 'GET / HTTP/1.0\r\n\r\n'
ss.sendall(rq.encode())
ss.shutdown(socket.SHUT_WR)
while True:
  rs = ss.recv(1024)
  if rs == b'':
    break
  print(rs)

Expected result would be a html page, but instead this script prints encrypted data.

The shutdown function is used to close the write end of the socket, to signal the peer that no more data will be sent. The peer can still send data though. In this case, the google server sends an encrypted response but the sslsocket.recv returns it as-is because the shutdown function set _sslobj to None.

A workaround:

import ssl
import socket

c = ssl.create_default_context()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('google.com', 443))
ss = c.wrap_socket(s, server_hostname='google.com')
rq = 'GET / HTTP/1.0\r\n\r\n'
ss.sendall(rq.encode())
tmp = ss._sslobj
ss.shutdown(socket.SHUT_WR)
ss._sslobj = tmp
while True:
  rs = ss.recv(1024)
  if rs == b'':
    break
  print(rs)

This might be a trivial example because we could just not choose to shutdown. But when implementing things like proxies, this can become a problem.

in my opinion the referenced line should be deleted.

Linked PRs

• gh-63080: Remove line in socket.shutdown that deletes the ssl context #124731

[soufrabi]

Should i submit a PR with the reference line deleted ?

[soufrabi]

Passes all tests with the reference line commented out
Changes

diff --git a/Lib/ssl.py b/Lib/ssl.py
index c8703b046cf..aa66b1b87e6 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -1339,7 +1339,7 @@ def pending(self):

     def shutdown(self, how):
         self._checkClosed()
-        self._sslobj = None
+        # self._sslobj = None
         super().shutdown(how)

     @_sslcopydoc

Test results

== Tests result: SUCCESS ==

23 tests skipped:
    test.test_asyncio.test_windows_events
    test.test_asyncio.test_windows_utils test_android test_bz2
    test_dbm_gnu test_dbm_ndbm test_devpoll test_free_threading
    test_idle test_kqueue test_launcher test_msvcrt test_readline
    test_startfile test_tcl test_tkinter test_ttk test_ttk_textonly
    test_turtle test_winapi test_winconsoleio test_winreg test_wmi

9 tests skipped (resource denied):
    test_curses test_peg_generator test_pyrepl test_smtpnet
    test_socketserver test_urllib2net test_urllibnet test_winsound
    test_zipfile64

447 tests OK.

Total duration: 5 min 47 sec
Total tests: run=44,076 skipped=1,924
Total test files: run=470/479 skipped=23 resource_denied=9
Result: SUCCESS

[picnixz]

This is likely a duplicate of #63080. And according to the discussion out there, it seems that this is kind of what was expected. Closing as a duplicate (you can continue the discussion in the original issue, we just don't want to have duplicated issues open)