gh-127257: ssl: Raise OSError for ERR_LIB_SYS #127361

encukou · 2024-11-28T13:19:38Z

One way OpenSSL can report a failed syscall is SSL_ERROR_SYSCALL. We have that one covered.

But, another way is ERR_LIB_SYS. Apparently, it's being used more now, and causing issues on OpenSSL 3.4.0 on Arch buildbots.

From the ERR_raise manpage:

ERR_LIB_SYS

    This "library code" indicates that a system error is
    being reported.  In this case, the reason code given
    to `ERR_raise()` and `ERR_raise_data()` *must* be
    `errno(3)`.

This PR only handles ERR_LIB_SYS for the high-lever error types
SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where
OpenSSL indicates it has some more information about the issue.

I believe it's correct to raise OSError rather that SSLError
in these cases. That makes this a backwards-incompatible change
(but one we still might want to backport as a bugfix).

The error on Arch with OpenSSL 3.4.0 is broken pipe (EPIPE) when a client reads after the server shuts down. On my Arch, raising OSError makes test_poplip pass.

Issue: [tests] test_poplib fails with "env changed" on Arch Linux with OpenSSL 3.4: [SYS] unknown error (_ssl.c:2634) #127257

From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`.

encukou · 2024-11-28T13:35:47Z

!buildbot Arch.Linux

bedevere-bot · 2024-11-28T13:35:49Z

🤖 New build scheduled with the buildbot fleet by @encukou for commit 0098897 🤖

The command will test the builders whose names match following regular expression: Arch.Linux

The builders matched are:

AMD64 Arch Linux Perf PR
AMD64 Arch Linux Asan PR
AMD64 Arch Linux VintageParser PR
AMD64 Arch Linux Valgrind PR
AMD64 Arch Linux Usan PR
AMD64 Arch Linux Usan Function PR
AMD64 Arch Linux Asan Debug PR
AMD64 Arch Linux TraceRefs PR

petermarko · 2024-11-28T20:07:53Z

This fixes #125936 for me.
Thanks!

python/cpython#127331 python/cpython#127361 (From OE-Core rev: e271e9cbf896f1fb97d56c426e4217a6d2105ea4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python/cpython#127331 python/cpython#127361 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python/cpython#127331 python/cpython#127361 (From OE-Core rev: e5f3a1793e34fb4cd1e53ca60b67f9a9f084b7a6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python/cpython#127331 python/cpython#127361 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python/cpython#127331 python/cpython#127361 (From OE-Core rev: e5f3a1793e34fb4cd1e53ca60b67f9a9f084b7a6) Signed-off-by: Peter Marko <peter.markosiemens.com> Signed-off-by: Richard Purdie <richard.purdielinuxfoundation.org>

encukou · 2024-12-04T09:05:23Z

ssl experts (@jackjansen, @tiran, @dstufft, @alex): Do you want to check the change?
I think this is the correct place, and the correct error to raise, but I'd appreciate someone with domain knowledge.

encukou · 2024-12-09T12:31:40Z

If there are no objections, I'll merge tomorrow to unblock the buildbots.

vstinner

The change looks good to me. I don't know how to test it in a reliable way. Let's see how it goes with EPIPE and OpenSSL 3.4.

miss-islington-app · 2024-12-11T08:18:57Z

Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <encukou@gmail.com>

bedevere-app · 2024-12-11T08:19:13Z

GH-127812 is a backport of this pull request to the 3.13 branch.

…127812) gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361) From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <encukou@gmail.com>

miss-islington-app · 2024-12-12T11:45:15Z

Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

miss-islington-app · 2024-12-13T11:03:26Z

Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <encukou@gmail.com>

bedevere-app · 2024-12-13T11:03:39Z

GH-127905 is a backport of this pull request to the 3.12 branch.

…127905) gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361) From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue. (cherry picked from commit f4b31ed) Co-authored-by: Petr Viktorin <encukou@gmail.com>

python/cpython#127331 python/cpython#127361 (From OE-Core rev: e5f3a1793e34fb4cd1e53ca60b67f9a9f084b7a6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`. This PR only handles ERR_LIB_SYS for the high-lever error types SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where OpenSSL indicates it has some more information about the issue.

OpenSSL 3.4.0 returns `ERR_LIB_SYS` in some more situations than it used to. In the case exercised by `SingleTLSLayerTestCase.test_close_after_handshake`, python/cpython#127361 (also backported to the 3.12 and 3.13 branches) turns this into `BrokenPipeError`. It seems reasonable to treat this in the same way as `ConnectionAbortedError` and `ConnectionResetError`.

ssl: Raise OSError for ERR_LIB_SYS

11e0523

From the ERR_raise manpage: ERR_LIB_SYS This "library code" indicates that a system error is being reported. In this case, the reason code given to `ERR_raise()` and `ERR_raise_data()` *must* be `errno(3)`.

encukou requested a review from gpshead November 28, 2024 13:19

bedevere-app bot mentioned this pull request Nov 28, 2024

[tests] test_poplib fails with "env changed" on Arch Linux with OpenSSL 3.4: [SYS] unknown error (_ssl.c:2634) #127257

Closed

bedevere-app bot added the awaiting core review label Nov 28, 2024

Add blurb

0098897

vstinner approved these changes Dec 9, 2024

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels Dec 9, 2024

encukou merged commit f4b31ed into python:main Dec 10, 2024
50 of 53 checks passed

encukou deleted the ssl-sys-error branch December 10, 2024 10:56

bedevere-app bot removed the awaiting merge label Dec 10, 2024

encukou added the needs backport to 3.13 bugs and security fixes label Dec 11, 2024

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Dec 11, 2024

encukou added the needs backport to 3.12 bug and security fixes label Dec 12, 2024

petermarko mentioned this pull request Dec 12, 2024

openssl-3.4.0 compatibility #125936

Closed

encukou added needs backport to 3.12 bug and security fixes and removed needs backport to 3.12 bug and security fixes labels Dec 13, 2024

bedevere-app bot removed the needs backport to 3.12 bug and security fixes label Dec 13, 2024

cjwatson mentioned this pull request Jan 9, 2025

SingleTLSLayerTestCase: Catch BrokenPipeError urllib3/urllib3#3547

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gh-127257: ssl: Raise OSError for ERR_LIB_SYS #127361

gh-127257: ssl: Raise OSError for ERR_LIB_SYS #127361

encukou commented Nov 28, 2024 •

edited by bedevere-app bot

Loading

encukou commented Nov 28, 2024

bedevere-bot commented Nov 28, 2024

petermarko commented Nov 28, 2024

encukou commented Dec 4, 2024

encukou commented Dec 9, 2024

vstinner left a comment

miss-islington-app bot commented Dec 11, 2024

bedevere-app bot commented Dec 11, 2024

miss-islington-app bot commented Dec 12, 2024

miss-islington-app bot commented Dec 13, 2024

bedevere-app bot commented Dec 13, 2024

gh-127257: ssl: Raise OSError for ERR_LIB_SYS #127361

gh-127257: ssl: Raise OSError for ERR_LIB_SYS #127361

Conversation

encukou commented Nov 28, 2024 • edited by bedevere-app bot Loading

encukou commented Nov 28, 2024

bedevere-bot commented Nov 28, 2024

petermarko commented Nov 28, 2024

encukou commented Dec 4, 2024

encukou commented Dec 9, 2024

vstinner left a comment

Choose a reason for hiding this comment

miss-islington-app bot commented Dec 11, 2024

bedevere-app bot commented Dec 11, 2024

miss-islington-app bot commented Dec 12, 2024

miss-islington-app bot commented Dec 13, 2024

bedevere-app bot commented Dec 13, 2024

encukou commented Nov 28, 2024 •

edited by bedevere-app bot

Loading