New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client SSLSocket with select.select() always returns readable with OpenSSL 1.1.1 #81716
Comments
Hi, I've come across an issue with OpenSSL 1.1.1, when a client socket wrapped using ssl.wrap_socket() is used in select.select() its always returning ready for reading even though there appears to be nothing to read. To reproduce:
I expect client.py to print "Nothing to read" and then b'\x00\x01\x02\x03', which it does with Python 2.7.14, 3.6.8 and 3.7.3 and OpenSSL 1.0.1f and 1.1.0g. With OpenSSL 1.1.1 it prints 'Pending: 0' and blocks on the sock.recv(1) call. Thanks! |
All new releases which include an OpenSSL version above 1.1.1 has the same issue. Can anybody fix it? Thanks a lot! |
The problem is caused by the way how TLS 1.3 works. Select considers a TLS 1.3 socket as readable after the handshake, because there is still data on the line. The server is sending session tickets (usually two) after the handshake has been performed. If you set "context.num_tickets = 0" in server.py or "context.maximum_version = ssl.TLSVersion.TLSv1_2" in either server.py or client.py, your script works. Ticket bpo-37120 has more information on that. Session tickets are low-level TLS protocol elements. Methods like SSLSocket.pending() and SSLSocket.recv() only act on high-level application protocol data. That's why pending() returns 0 and recv() is blocking. There is no application data available. You have to take another approach and follow the guidelines in |
Thanks for explanation, I understand what the reason is. But why do_handshake() not clear of useless data buffer after it is completed? I think that must be easy to do. |
do_handshake() performs just the handshake. TLS protocol can send or receive additional protocol data after the handshake, e.g. alerts, rekeying or renegotiation. The example just happened to not trigger these in TLS 1.2. TLS makes non-blocking IO more complicated. |
So, that means there are some additional optional operations after do_handshake(), the data is needed. Thanks for explanation! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: