[3.9] gh-107077: Raise SSLCertVerificationError even if the error is set via SSL_ERROR_SYSCALL (GH-107586) (#107590)

(cherry picked from commit 77e09192b5) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> Co-authored-by: T. Wouters <thomas@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
2025-12-23 09:19:18 +00:00 · 2024-02-21 17:02:34 +01:00 · 2024-02-21 17:02:34 +01:00 · 468ba95c79
commit 468ba95c79
parent 4b68e5d7ab
2 changed files with 10 additions and 0 deletions
--- a/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst
+++ b/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst
@ -0,0 +1,6 @@
+Seems that in some conditions, OpenSSL will return ``SSL_ERROR_SYSCALL``
+instead of ``SSL_ERROR_SSL`` when a certification verification has failed,
+but the error parameters will still contain ``ERR_LIB_SSL`` and
+``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and
+raising the appropiate ``ssl.SSLCertVerificationError``. Patch by Pablo
+Galindo
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -817,6 +817,10 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
                    errstr = "Some I/O error occurred";
                }
            } else {
+                if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
+                        ERR_GET_REASON(e) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
+                    type = PySSLCertVerificationErrorObject;
+                }
                p = PY_SSL_ERROR_SYSCALL;
            }
            break;