From 6a82c1d9cae8817d102d1feb0c2fc51ffce0c895 Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Tue, 4 Jul 2023 20:40:19 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Turn=20`SSLEOFError`=20into=20`F?= =?UTF-8?q?atalSSLAlert`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch turns a new `ssl.SSLEOFError` into an internally ignored `FatalSSLAlert` allowing it not to leak into the outer abstraction layers in its raw form. The exception is new since Python 3.8 and it's fine to use it unconditionally since we no longer support Python 3.7. This patch also handles `SSLZeroReturnError` same as `SSLEOFError` as it's semantically equivalent per [[1]]. [1]: https://github.com/cherrypy/cheroot/pull/518#issuecomment-1631774708 --- cheroot/ssl/builtin.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cheroot/ssl/builtin.py b/cheroot/ssl/builtin.py index 3e15e02d99..b128c858ef 100644 --- a/cheroot/ssl/builtin.py +++ b/cheroot/ssl/builtin.py @@ -269,6 +269,13 @@ def wrap(self, sock): s = self.context.wrap_socket( sock, do_handshake_on_connect=True, server_side=True, ) + except ( + ssl.SSLEOFError, + ssl.SSLZeroReturnError, + ) as tls_connection_drop_error: + raise errors.FatalSSLAlert( + *tls_connection_drop_error.args, + ) from tls_connection_drop_error except ssl.SSLError as ex: if ex.errno == ssl.SSL_ERROR_SSL: if _assert_ssl_exc_contains(ex, 'http request'):