https://github.com/python/cpython/commit/4d58a1d8fb27048c11bcbda3da1bebf78f979335 commit: 4d58a1d8fb27048c11bcbda3da1bebf78f979335 branch: 3.8 author: Miss Islington (bot) <[email protected]> committer: ambv <[email protected]> date: 2024-02-21T16:22:09+01:00 summary:
[3.8] gh-107077: Raise SSLCertVerificationError even if the error is set via SSL_ERROR_SYSCALL (GH-107586) (GH-107591) (cherry picked from commit 77e09192b5f1caf14cd5f92ccb53a4592e83e8bc) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]> Co-authored-by: Ćukasz Langa <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]> files: A Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst M Modules/_ssl.c diff --git a/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst b/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst new file mode 100644 index 00000000000000..ecaf437a48e0ae --- /dev/null +++ b/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst @@ -0,0 +1,6 @@ +Seems that in some conditions, OpenSSL will return ``SSL_ERROR_SYSCALL`` +instead of ``SSL_ERROR_SSL`` when a certification verification has failed, +but the error parameters will still contain ``ERR_LIB_SSL`` and +``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and +raising the appropiate ``ssl.SSLCertVerificationError``. Patch by Pablo +Galindo diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 35d9d65f8c0722..7b88b2e5c9ddbc 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -819,6 +819,10 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno) errstr = "Some I/O error occurred"; } } else { + if (ERR_GET_LIB(e) == ERR_LIB_SSL && + ERR_GET_REASON(e) == SSL_R_CERTIFICATE_VERIFY_FAILED) { + type = PySSLCertVerificationErrorObject; + } p = PY_SSL_ERROR_SYSCALL; } break; _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-checkins.python.org/ Member address: [email protected]
