From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Thu, 3 Aug 2023 14:09:29 +0000 (-0700)
Subject: [3.12] gh-107077: Raise SSLCertVerificationError even if the error is set via SSL_ERR... 
X-Git-Tag: v3.12.0rc1~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93fcf7587888e93ff7e45f4422c315f8a5f1ba0d;p=thirdparty%2FPython%2Fcpython.git

[3.12] gh-107077: Raise SSLCertVerificationError even if the error is set via SSL_ERROR_SYSCALL (GH-107586) (#107587)

Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Co-authored-by: T. Wouters <thomas@python.org>
---

diff --git a/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst b/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst
new file mode 100644
index 000000000000..ecaf437a48e0
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2023-08-03-12-52-19.gh-issue-107077.-pzHD6.rst
@@ -0,0 +1,6 @@
+Seems that in some conditions, OpenSSL will return ``SSL_ERROR_SYSCALL``
+instead of ``SSL_ERROR_SSL`` when a certification verification has failed,
+but the error parameters will still contain ``ERR_LIB_SSL`` and
+``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and
+raising the appropiate ``ssl.SSLCertVerificationError``. Patch by Pablo
+Galindo
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 619b4f4e94d0..e939f9504898 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -647,6 +647,10 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
                     errstr = "Some I/O error occurred";
                 }
             } else {
+                if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
+                        ERR_GET_REASON(e) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
+                    type = state->PySSLCertVerificationErrorObject;
+                }
                 p = PY_SSL_ERROR_SYSCALL;
             }
             break;