🐛 Turn SSLEOFError into FatalSSLAlert

This patch turns a new `ssl.SSLEOFError` into an internally ignored `FatalSSLAlert` allowing it not to leak into the outer abstraction layers in its raw form. The exception is new since Python 3.8 and it's fine to use it unconditionally since we no longer support Python 3.7. This patch also handles `SSLZeroReturnError` same as `SSLEOFError` as it's semantically equivalent per [[1]]. [1]: #518 (comment)
cherrypy · Jan 24, 2024 · 6a82c1d · 6a82c1d
1 parent 931ebd6
commit 6a82c1d
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/cheroot/ssl/builtin.py b/cheroot/ssl/builtin.py
@@ -269,6 +269,13 @@ def wrap(self, sock):
             s = self.context.wrap_socket(
                 sock, do_handshake_on_connect=True, server_side=True,
             )
+        except (
+            ssl.SSLEOFError,
+            ssl.SSLZeroReturnError,
+        ) as tls_connection_drop_error:
+            raise errors.FatalSSLAlert(
+                *tls_connection_drop_error.args,
+            ) from tls_connection_drop_error
         except ssl.SSLError as ex:
             if ex.errno == ssl.SSL_ERROR_SSL:
                 if _assert_ssl_exc_contains(ex, 'http request'):