Feature or enhancement
Proposal:
On $BIG_CORP's weird OpenSSL that's in a FIPS 140-3 environment, attempting to
connect to a Website with (it's deliberate we're using sockets rather than
something like requests or urllib):
#!/usr/bin/env python3
"""Test TLS 1.2 connection to a site using only stdlib."""
import pprint
import ssl
import socket
def main():
hostname = "www.example.com"
# Create SSL context with TLS 1.2 maximum
context = ssl.create_default_context()
context.maximum_version = ssl.TLSVersion.TLSv1_2
try:
with socket.create_connection((hostname, 443)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
print(f"Connected to {hostname}")
print(f"TLS version: {ssock.version()}")
print(f"Cipher: {ssock.cipher()}")
# Send a simple HTTP request
request = f"GET / HTTP/1.1\r\nHost: {hostname}\r\nConnection: close\r\n\r\n".encode('ascii')
ssock.sendall(request)
response = ssock.recv(4096)
status_line = response.split(b'\r\n')[0].decode('utf-8', errors='replace')
print(f"\nResponse status: {status_line}")
except ssl.SSLError as e:
raise
if __name__ == "__main__":
main()
blows up very strangely:
$ python3.13 test_tls1.2.py
Traceback (most recent call last):
File "/opt/bigcorp/test_tls1.2.py", line 30, in <module>
main()
File "/opt/bigcorp/test_tls1.2.py", line 16, in main
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
File "/opt/bigcorp/lib/python3.9/ssl.py", line 506, in wrap_socket
return self.sslsocket_class._create(
File "/opt/bigcorp/lib/python3.9/ssl.py", line 1084, in _create
self.do_handshake()
File "/opt/bigcorp/lib/python3.9/ssl.py", line 1353, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL] internal error (_ssl.c:1162)
This is very hard to debug. OpenSSL has an error queue internally that can be
accessed via ERR_error_string
and friends, but Python doesn't expose anything but the top-most message
of the queue, and there's not an easy way to access the rest of it otherwise.
NOTE: the hard way: pull out a debugger, get into OpenSSL, pull
out it's error code, and than map the numbers from the bits to messages. Not
recommended.
We should make the OpenSSL error queue available.
Has this already been discussed elsewhere?
No response given
Links to previous discussion of this feature:
May indirectly fix #148594
Linked PRs
Feature or enhancement
Proposal:
On $BIG_CORP's weird OpenSSL that's in a FIPS 140-3 environment, attempting to
connect to a Website with (it's deliberate we're using sockets rather than
something like requests or urllib):
blows up very strangely:
This is very hard to debug. OpenSSL has an error queue internally that can be
accessed via ERR_error_string
and friends, but Python doesn't expose anything but the top-most message
of the queue, and there's not an easy way to access the rest of it otherwise.
NOTE: the hard way: pull out a debugger, get into OpenSSL, pull
out it's error code, and than map the numbers from the bits to messages. Not
recommended.
We should make the OpenSSL error queue available.
Has this already been discussed elsewhere?
No response given
Links to previous discussion of this feature:
May indirectly fix #148594
Linked PRs