Re: [Python-Dev] Proposal for better SSL errors

Sun, 27 May 2012 02:34:05 -0700 

On Sun, 27 May 2012 12:00:57 +1000
Cameron Simpson <c...@zip.com.au> wrote:
> On 26May2012 21:28, Antoine Pitrou <solip...@pitrou.net> wrote:
> | Not only does the error string contain more valuable information (the
> | mnemonics "SSL" and "CERTIFICATE_VERIFY_FAILED" indicate, respectively,
> | in which subpart of OpenSSL and which precise error occurred), but they
> | are also introspectable:
> | 
> | >>> e = sys.last_value
> | >>> e.library
> | 'SSL'
> | >>> e.reason
> | 'CERTIFICATE_VERIFY_FAILED'
> | 
> | (these mnemonics correspond to OpenSSL's own #define'd numeric codes. I
> | find it more Pythonic to expose the mnemonics than the numbers, though.
> | Of course, the numbers <-> mnemnonics mappings can be separately
> | exposed)
> 
> Would you be inclined to exposed both? Eg add .ssl_errno (or whatever
> short name is conventionally used in the SSL library itself, just as
> "errno" matches the POSIX error code name).

OpenSSL has a diversity of error codes. In this case there's the result
code returned by OpenSSL's SSL_get_error(), which is 1 (SSL_ERROR_SSL)
and is already recorded as "errno" (see below). There's the reason,
as returned by OpenSSL's ERR_get_reason(), which is
SSL_R_CERTIFICATE_VERIFY_FAILED. And I'm sure other oddities are
lurking.

> | You'll note there is still a "Errno 5" in that error message; I don't
> | really know what to do with it. Hard-wiring the errno attribute to
> | something like None *might* break existing software, although that
> | would be unlikely since the current errno value is quite meaningless
> | and confusing (it has nothing to do with POSIX errnos).
> 
> It is EIO ("I/O error"), and not inappropriate for a communictions failure.

That's a nice coincidence, but it's actually an OpenSSL-specific code.
Also, there's a bug in the current patch, the right value should be 1
(SSL_ERROR_SSL) not 5.

That said, I remember there's legacy code doing things like:
    except SSLError as e:
        if e.args[0] == SSL_ERROR_WANT_READ: ...

so we can't ditch the errno, although in 3.3 you would write:
    except SSLWantReadError: ...

Regards

Antoine.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to