-
-
Notifications
You must be signed in to change notification settings - Fork 33.2k
gh-127257: ssl: Raise OSError for ERR_LIB_SYS #127361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`.
!buildbot Arch.Linux |
🤖 New build scheduled with the buildbot fleet by @encukou for commit 0098897 🤖 The command will test the builders whose names match following regular expression: The builders matched are:
|
This fixes #125936 for me. |
python/cpython#127331 python/cpython#127361 (From OE-Core rev: e271e9cbf896f1fb97d56c426e4217a6d2105ea4) Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
python/cpython#127331 python/cpython#127361 Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
python/cpython#127331 python/cpython#127361 (From OE-Core rev: e5f3a1793e34fb4cd1e53ca60b67f9a9f084b7a6) Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
python/cpython#127331 python/cpython#127361 Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
ssl experts (@jackjansen, @tiran, @dstufft, @alex): Do you want to check the change? |
If there are no objections, I'll merge tomorrow to unblock the buildbots. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change looks good to me. I don't know how to test it in a reliable way. Let's see how it goes with EPIPE and OpenSSL 3.4.
Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13. |
From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <[email protected]>
GH-127812 is a backport of this pull request to the 3.13 branch. |
…127812) gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361) From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <[email protected]>
Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12. |
Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12. |
From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <[email protected]>
GH-127905 is a backport of this pull request to the 3.12 branch. |
…127905) gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361) From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <[email protected]>
python/cpython#127331 python/cpython#127361 (From OE-Core rev: e5f3a1793e34fb4cd1e53ca60b67f9a9f084b7a6) Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
python/cpython#127331 python/cpython#127361 (From OE-Core rev: e5f3a1793e34fb4cd1e53ca60b67f9a9f084b7a6) Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue.
OpenSSL 3.4.0 returns `ERR_LIB_SYS` in some more situations than it used to. In the case exercised by `SingleTLSLayerTestCase.test_close_after_handshake`, python/cpython#127361 (also backported to the 3.12 and 3.13 branches) turns this into `BrokenPipeError`. It seems reasonable to treat this in the same way as `ConnectionAbortedError` and `ConnectionResetError`.
OpenSSL 3.4.0 returns `ERR_LIB_SYS` in some more situations than it used to. In the case exercised by `SingleTLSLayerTestCase.test_close_after_handshake`, python/cpython#127361 (also backported to the 3.12 and 3.13 branches) turns this into `BrokenPipeError`. It seems reasonable to treat this in the same way as `ConnectionAbortedError` and `ConnectionResetError`.
We started seeing this on 3.11 and 3.10 in Fedora Rawhide which moved to OpenSSL 3.5 beta (due to unrelated to this issue ssl test failures). Would this be considered a security fix to backport for the security releases as more and more distros start moving to the latest OpenSSL? |
…127361) (pythonGH-127905) pythongh-127257: ssl: Raise OSError for ERR_LIB_SYS (pythonGH-127361) From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <[email protected]> (cherry picked from commit 7f707fa)
IMO we can make an exception for this change and backport it to 3.11 and 3.10. I prepared backports: |
…127905) (GH-131970) gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361) From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) (cherry picked from commit 7f707fa) Co-authored-by: Petr Viktorin <[email protected]>
…127905) (GH-131971) gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361) From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) (cherry picked from commit 7f707fa) Co-authored-by: Petr Viktorin <[email protected]>
…pythonGH-127905) (pythonGH-131971) pythongh-127257: ssl: Raise OSError for ERR_LIB_SYS (pythonGH-127361) From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) (cherry picked from commit 7f707fa) Co-authored-by: Petr Viktorin <[email protected]>
The patch resolves the flakiness of test_ftplib Backported from upstream 3.10+: python#127361 Co-authored-by: Petr Viktorin <[email protected]>
The patch resolves the flakiness of test_ftplib Backported from upstream 3.10+: python#127361 Co-authored-by: Petr Viktorin <[email protected]>
The patch resolves the flakiness of test_ftplib Backported from upstream 3.10+: python#127361 Co-authored-by: Petr Viktorin <[email protected]>
The patch resolves the flakiness of test_ftplib Backported from upstream 3.10+: python#127361 Co-authored-by: Petr Viktorin <[email protected]>
One way OpenSSL can report a failed syscall is SSL_ERROR_SYSCALL. We have that one covered.
But, another way is ERR_LIB_SYS. Apparently, it's being used more now, and causing issues on OpenSSL 3.4.0 on Arch buildbots.
From the ERR_raise manpage:
This PR only handles
ERR_LIB_SYS
for the high-lever error typesSSL_ERROR_SYSCALL
andSSL_ERROR_SSL
, i.e., not the ones whereOpenSSL indicates it has some more information about the issue.
I believe it's correct to raise OSError rather that SSLError
in these cases. That makes this a backwards-incompatible change
(but one we still might want to backport as a bugfix).
The error on Arch with OpenSSL 3.4.0 is broken pipe (EPIPE) when a client reads after the server shuts down. On my Arch, raising OSError makes
test_poplip
pass.