[3.11] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw

[ambv]

Instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred.

• Issue: CVE-2023-40217: Bypass TLS handshake on closed sockets #108310

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Windows10 3.11 has failed when building commit 75a875e.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/986/builds/1085) and take a look at the build logs.
4. Check if the failure is related to this commit (75a875e) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/986/builds/1085

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

402 tests OK.

10 slowest tests:

• test_multiprocessing_spawn: 3 min 16 sec
• test_tokenize: 2 min 59 sec
• test_asyncio: 2 min 25 sec
• test_unparse: 2 min 23 sec
• test_peg_generator: 2 min 21 sec
• test_lib2to3: 2 min 8 sec
• test_concurrent_futures: 1 min 47 sec
• test_capi: 1 min 42 sec
• test_compileall: 1 min 32 sec
• test_mmap: 1 min 29 sec

1 test altered the execution environment:
test_ssl

31 tests skipped:
test_curses test_dbm_gnu test_dbm_ndbm test_devpoll test_epoll
test_fcntl test_fork1 test_gdb test_grp test_ioctl test_kqueue
test_multiprocessing_fork test_multiprocessing_forkserver test_nis
test_openpty test_ossaudiodev test_pipes test_poll test_posix
test_pty test_pwd test_readline test_resource test_spwd
test_syslog test_threadsignals test_wait3 test_wait4
test_xxlimited test_xxtestfuzz test_zipfile64

Total duration: 17 min 33 sec

Click to see traceback logs

Traceback (most recent call last):
  File "D:\buildarea\3.11.bolen-windows10\build\Lib\threading.py", line 1038, in _bootstrap_inner
    self.run()
  File "D:\buildarea\3.11.bolen-windows10\build\Lib\test\test_ssl.py", line 4945, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.11.bolen-windows10\build\Lib\socket.py", line 294, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k