You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some TLS implementations do not send the mandatory close_notify alert on shutdown. If the application tries to wait for the close_notify alert but the peer closes the connection without sending it, an error is generated. When this option is enabled the peer does not need to send the close_notify alert and a closed connection will be treated as if the close_notify alert was received.
You should only enable this option if the protocol running over TLS can detect a truncation attack itself, and that the application is checking for that truncation attack.
OpenSSL 1.1.1 also handled EOFs strictly, but this behavior was generally suppressed in the ssl module through the default setting of suppress_ragged_eofs=True (thus enabling truncation attacks by default). The PR changes the behavior of existing applications in such a way that previously detectable unexpected EOFs are now no longer detectable by default. To make matters worse, EOF errors are not translated to SSLEOFError anymore, and instead I have to match the strerror attribute in SSLError to detect this condition.