bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)

Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 6f37ebc61e) Co-authored-by: Christian Heimes <christian@python.org>
2025-08-03 00:23:06 +00:00 · 2021-04-09 09:21:54 -07:00 · 2021-04-09 09:21:54 -07:00 · 54d89a33e0
commit 54d89a33e0
parent 4a5c101936
4 changed files with 20 additions and 1 deletions
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@ -886,6 +886,14 @@ Constants

   .. versionadded:: 3.6

+.. data:: OP_IGNORE_UNEXPECTED_EOF
+
+   Ignore unexpected shutdown of TLS connections.
+
+   This option is only available with OpenSSL 3.0.0 and later.
+
+   .. versionadded:: 3.10
+
 .. data:: HAS_ALPN

   Whether the OpenSSL library has built-in support for the *Application-Layer
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@ -147,6 +147,7 @@ OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
 OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
 OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
 OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
+OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)

 # Ubuntu has patched OpenSSL and changed behavior of security level 2
 # see https://bugs.python.org/issue41561#msg389003
@ -1164,7 +1165,8 @@ class ContextTests(unittest.TestCase):
        # SSLContext also enables these by default
        default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
                    OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
-                    OP_ENABLE_MIDDLEBOX_COMPAT)
+                    OP_ENABLE_MIDDLEBOX_COMPAT |
+                    OP_IGNORE_UNEXPECTED_EOF)
        self.assertEqual(default, ctx.options)
        ctx.options |= ssl.OP_NO_TLSv1
        self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
--- a/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst
+++ b/Misc/NEWS.d/next/Library/2021-04-09-16-14-22.bpo-43794.-1XPDH.rst
@ -0,0 +1 @@
+Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -3212,6 +3212,10 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
 #endif
 #ifdef SSL_OP_SINGLE_ECDH_USE
    options |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+    /* Make OpenSSL 3.0.0 behave like 1.1.1 */
+    options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
 #endif
    SSL_CTX_set_options(self->ctx, options);

@ -6270,6 +6274,10 @@ PyInit__ssl(void)
    PyModule_AddIntConstant(m, "OP_NO_RENEGOTIATION",
                            SSL_OP_NO_RENEGOTIATION);
 #endif
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+    PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF",
+                            SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif

 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
    PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",
				`@ -0,0 +1 @@`
				Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0)