From b0b34a07c5942a660f9c535826f6a12cc0610ab9 Mon Sep 17 00:00:00 2001
From: Pablo Galindo Salgado <Pablogsal@gmail.com>
Date: Thu, 3 Aug 2023 13:37:14 +0100
Subject: [PATCH 1/2] gh-107077: Raise SSLCertVerificationError even if the
 error is set via SSL_ERROR_SYSCALL (GH-107586) (cherry picked from commit
 77e09192b5f1caf14cd5f92ccb53a4592e83e8bc)

Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Co-authored-by: T. Wouters <thomas@python.org>
---
 .../Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst  | 6 ++++++
 Modules/_ssl.c                                              | 4 ++++
 2 files changed, 10 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst

diff --git a/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst b/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst
new file mode 100644
index 00000000000000..ecaf437a48e0ae
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst
@@ -0,0 +1,6 @@
+Seems that in some conditions, OpenSSL will return ``SSL_ERROR_SYSCALL``
+instead of ``SSL_ERROR_SSL`` when a certification verification has failed,
+but the error parameters will still contain ``ERR_LIB_SSL`` and
+``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and
+raising the appropiate ``ssl.SSLCertVerificationError``. Patch by Pablo
+Galindo
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 0498c153caaf26..fe807280b4ab60 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -817,6 +817,10 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
                     errstr = "Some I/O error occurred";
                 }
             } else {
+                if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
+                        ERR_GET_REASON(e) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
+                    type = state->PySSLCertVerificationErrorObject;
+                }
                 p = PY_SSL_ERROR_SYSCALL;
             }
             break;

From 1adc41d87bec93764ce933388031b07307212e19 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Wed, 31 Jan 2024 23:05:34 +0200
Subject: [PATCH 2/2] Fix backport.

---
 Modules/_ssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index fe807280b4ab60..3f95d3e10374d8 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -819,7 +819,7 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
             } else {
                 if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
                         ERR_GET_REASON(e) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
-                    type = state->PySSLCertVerificationErrorObject;
+                    type = PySSLCertVerificationErrorObject;
                 }
                 p = PY_SSL_ERROR_SYSCALL;
             }