search

pyca / pyopenssl

A Python wrapper around the OpenSSL library
https://pyopenssl.org/
Apache License 2.0
882 stars 421 forks source link

Raise a More Specific Error for SSL_ERROR_SYSCALL? #1188

Closed blink1073 closed 11 months ago

blink1073 commented 1 year ago

Hi, thanks for this library! We noticed that in some cases PyOpenSSL returns error messages of the form OpenSSL.SSL.SysCallError: (54, 'ECONNRESET'), whereas the equivalent condition when using the builtin ssl module would raise a ConnectionError with the str() form containing Connection reset by peer. I believe this comes from the use of PyErr_SetFromErrno, versus the custom SysCallError. Given that PyOpenSSL is pure Python, I imagine some custom logic would be needed to achieve the same.

alex commented 1 year ago

It's a bit verbose, but you should be able to get that value with os.strerror(e.args[0])

ShaneHarvey commented 1 year ago

When the server is configured to require a client cert but the client does not present one, we would expect to see an error with "certificate required", "SSL handshake failed", "Connection reset by peer", or one of the equivalent errnos (like ECONNRESET) but we're actually seeing pyopenssl raise (32, 'EPIPE') on macOS (in https://jira.mongodb.org/browse/PYTHON-3607). My understanding is that EPIPE indicates a bug in openssl/pyopenssl, what do you think?

alex commented 1 year ago

Your comment appears unrelated to the original bug?

On Wed, Feb 22, 2023 at 3:19 PM Shane Harvey @.***> wrote:

When the server is configured to require a client cert but the client does not present one, we would expect to see an error with "certificate required", "SSL handshake failed", "Connection reset by peer", or one of the equivalent errnos (like ECONNRESET) but we're actually seeing pyopenssl raise (32, 'EPIPE') on macOS (in https://jira.mongodb.org/browse/PYTHON-3607). My understanding is that EPIPE indicates a bug in openssl/pyopenssl, what do you think?

— Reply to this email directly, view it on GitHub https://github.com/pyca/pyopenssl/issues/1188#issuecomment-1440744791, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBDJ6IXYSEVLDU7NJP3WYZYDTANCNFSM6AAAAAAVDNW7YU . You are receiving this because you commented.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

ShaneHarvey commented 1 year ago

Good point, opened https://github.com/pyca/pyopenssl/issues/1189.

facutuesca commented 11 months ago

The original issue seems to be solved (using os.strerror to get the readable string description of the error code).

@mhils I think this one can be closed