Skip to content

Improve support for TLS 1.3 post-handshake authΒ #209

Description

@webknjaz

❓ I'm submitting a ...

  • 🐞 bug report
  • 🐣 feature request
  • ❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?

Failed TLS auth causes an exception happening after the TLS handshake if the client uses post_handshake_auth TLS extension. This happens when the server tries to read bytes with HTTP payload from the TCP connection (when starting to parse HTTP request). This code should also be protected by try/except wrapper.

❓ What is the motivation / use case for changing the behavior?

Make it work.

πŸ’‘ To Reproduce

N/A

πŸ’‘ Expected behavior

No traceback.

πŸ“‹ Details

πŸ“‹ Environment

  • Cheroot version: master
  • CherryPy version: master
  • Python version: 3.7
  • OS: N/A
  • Browser: N/A

πŸ“‹ Additional context

cherrypy/cherrypy#1509 (comment)

2019-06-23 11:45:27,812::WARNING::[_cplogging:216] [23/Jun/2019:11:45:27] ENGINE socket.error 1
Traceback (most recent call last):
  File "C:\Users\Saf\Documents\GitHub\tests\py3\lib\site-packages\cheroot\server.py", line 1263, in communicate
    req.parse_request()
  File "C:\Users\Saf\Documents\GitHub\tests\py3\lib\site-packages\cheroot\server.py", line 719, in parse_request
    success = self.read_request_line()
  File "C:\Users\Saf\Documents\GitHub\tests\py3\lib\site-packages\cheroot\server.py", line 760, in read_request_line
    request_line = self.rfile.readline()
  File "C:\Users\Saf\Documents\GitHub\tests\py3\lib\site-packages\cheroot\server.py", line 302, in readline
    data = self.rfile.readline(256)
  File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\_pyio.py", line 513, in readline
    b = self.read(nreadahead())
  File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\_pyio.py", line 492, in nreadahead
    readahead = self.peek(1)
  File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\_pyio.py", line 1076, in peek
    return self._peek_unlocked(size)
  File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\_pyio.py", line 1083, in _peek_unlocked
    current = self.raw.read(to_read)
  File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\socket.py", line 589, in readinto
    return self._sock.recv_into(b)
  File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\ssl.py", line 1052, in recv_into
    return self.read(nbytes, buffer)
  File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\ssl.py", line 911, in read
    return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2488)

cc @Safihre

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething is brokenenhancementImprovementhelp wantedSomebody help us, please!reproducer: missingThis PR or issue lacks code, which reproduce the problem described or clearly understandable STR

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions