Handle `OpenSSL.SSL.WantReadError` and `WantWriteError` in pyopenssl adapter #332

vashek · 2020-11-02T12:55:45Z

❓ What kind of change does this PR introduce?

📋 What is the related issue number (starting with #)

Fixes #245

❓ What is the current behavior? (You can also link to an open issue here)

❓ What is the new behavior (if this is a feature change)?

📋 Other information:

📋 Checklist:

I think the code is well written
I wrote good commit messages
I have squashed related commits together after the changes have been approved
Unit tests for the changes exist
Integration tests for the changes exist (if applicable)
I used the same coding conventions as the rest of the project
The new code doesn't generate linter offenses
Documentation reflects the changes
The PR relates to only one subject with a clear title
and description in grammatically correct, complete sentences

This change is

cheroot/makefile.py

cheroot/ssl/pyopenssl.py

webknjaz · 2020-11-02T13:28:40Z

@vashek have you considered fixing pyopenssl itself? pyca/pyopenssl#176 (comment)

webknjaz · 2020-11-02T13:30:46Z

cheroot/ssl/pyopenssl.py

+    def sendall(self, *args, **kwargs):
+        """Send whole message to the socket.
+
+        Not supported due to https://github.com/pyca/pyopenssl/issues/176.
+        Until that bug is fixed, sendall() may throw SSL.WantWriteError, but
+        there is no correct way to retry the call because we don't know how
+        many bytes were already transmitted. We could work around this by
+        reimplementing sendall() using send(), but we don't actually use
+        sendall() anywhere.
+        """
+        raise NotImplementedError('sendall() is unsupported by pyOpenSSL')


How about taking https://github.com/pyca/pyopenssl/blob/124a013/src/OpenSSL/SSL.py#L1649-L1677 and adding retries and then resubmitting the fix to the upstream too?

Another interesting code snippet: Lawouach/WebSocket-for-Python#174 (comment).

cheroot/ssl/pyopenssl.py

webknjaz · 2020-11-02T13:32:59Z

cheroot/ssl/pyopenssl.py

+        reimplementing sendall() using send(), but we don't actually use
+        sendall() anywhere.


When you say "we don't use" do you mean not even some internal calls hit it? How do we get the error, then?

We don't, as far as I know, it's just something I noticed while googling the WantWriteError issue.
There is no occurrence of sendall in the whole cheroot project, other than in pyopenssl.py. (Also, my server seems to work with this change.)

Well, if it's unrelated to the PR, it should be in a separate PR.

cheroot/ssl/pyopenssl.py

webknjaz · 2020-11-02T16:30:38Z

Hm... it looks like sendall was used as write() + flush() at some point but then got replaced with write: 60cd709 / a0b1d01.

webknjaz · 2020-11-02T16:40:42Z

Some jobs are failing because of a deprecation warning in cryptography. I've fixed that on master. To get the changes, rebase this PR branch.

cheroot/ssl/pyopenssl.py

webknjaz · 2020-11-04T15:00:52Z

Do you think this can be tested somehow?

webknjaz · 2020-11-04T23:14:45Z

@vashek so what do you think about tests?

webknjaz · 2020-11-23T01:40:21Z

The test will probably need to make the sending and/or receiving socket full like I tried here: https://github.com/pyca/pyopenssl/pull/955/files#diff-5fbedfbbf8f0780aeee680927973f302330dc10fe915c7e7deecf4b0556c492cR3157

vashek · 2021-04-15T00:05:10Z

Sorry for letting this rot. Quite honestly, I'd appreciate if someone could help with the tests - or accept it without them.

vashek · 2022-02-08T23:57:34Z

Any chance of accepting this?

webknjaz · 2023-03-17T02:09:28Z

@vashek I suppose it's hard to write tests for this which is why I'll probably accept it without tests. But #245 (comment) seems to imply that it may be causing problems for retries. Do you have any thoughts on that?

webknjaz linked an issue Nov 2, 2020 that may be closed by this pull request

Unhandled OpenSSL.SSL.WantReadError and WantWriteError raised by PyOpenSSL #245

Open

3 tasks