[3.8] gh-107077: Raise SSLCertVerificationError even if the error is …

…set via SSL_ERROR_SYSCALL (GH-107586) (GH-107591) (cherry picked from commit 77e0919) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> Co-authored-by: T. Wouters <thomas@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
python · Feb 21, 2024 · 4d58a1d · 4d58a1d
1 parent 8c6f277
commit 4d58a1d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst b/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst
@@ -0,0 +1,6 @@
+Seems that in some conditions, OpenSSL will return ``SSL_ERROR_SYSCALL``
+instead of ``SSL_ERROR_SSL`` when a certification verification has failed,
+but the error parameters will still contain ``ERR_LIB_SSL`` and
+``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and
+raising the appropiate ``ssl.SSLCertVerificationError``. Patch by Pablo
+Galindo
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -819,6 +819,10 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
                     errstr = "Some I/O error occurred";
                 }
             } else {
+                if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
+                        ERR_GET_REASON(e) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
+                    type = PySSLCertVerificationErrorObject;
+                }
                 p = PY_SSL_ERROR_SYSCALL;
             }
             break;