8000 Deal with BrokenPipeError since openssl 3.4.x. by pmgdeb · Pull Request #2103 · gevent/gevent · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Deal with BrokenPipeError since openssl 3.4.x. #2103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Deal with BrokenPipeError since openssl 3.4.x. #2103

wants to merge 1 commit into from

Conversation

pmgdeb
Copy link
@pmgdeb pmgdeb commented Apr 22, 2025

Follows from the changes in gh-127257 and the test adaption in gh-115627.

gh-127257: ssl: Raise OSError for ERR_LIB_SYS
gh-115627: Fix ssl test_pha_required_nocert()

We are building openSUSE Factory with OpenSSL 3.5 and we can see that gevent fails the test__server.py with BrokenPipeError, here is the error output:

[  147s]   ..sTraceback (most recent call last):
[  147s]     File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
[  147s]       result = self._run(*self.args, **self.kwargs)
[  147s]     File "/home/abuild/rpmbuild/BUILD/python-gevent-24.10.3-build/BUILDROOT/usr/lib64/python3.11/site-packages/gevent/baseserver.py", line 34, in _handle_and_close_when_done
[  147s]       return handle(*args_tuple)
[  147s]              ^^^^^^^^^^^^^^^^^^^
[  147s]     File "/home/abuild/rpmbuild/BUILD/python-gevent-24.10.3-build/BUILDROOT/usr/lib64/python3.11/site-packages/gevent/server.py", line 210, in wrap_socket_and_handle
[  147s]       return self.handle(ssl_socket, address)
[  147s]              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[  147s]     File "/home/abuild/rpmbuild/BUILD/python-gevent-24.10.3-build/BUILDROOT/usr/lib64/python3.11/site-packages/gevent/tests/test__server.py", line 27, in handle
[  147s]       request_line = fd.readline()
[  147s]                      ^^^^^^^^^^^^^
[  147s]     File "/usr/lib64/python3.11/socket.py", line 718, in readinto
[  147s]       return self._sock.recv_into(b)
[  147s]              ^^^^^^^^^^^^^^^^^^^^^^^
[  147s]     File "/home/abuild/rpmbuild/BUILD/python-gevent-24.10.3-build/BUILDROOT/usr/lib64/python3.11/site-packages/gevent/ssl.py", line 635, in recv_into
[  147s]       return self.read(nbytes, buffer)
[  147s]              ^^^^^^^^^^^^^^^^^^^^^^^^^
[  147s]     File "/home/abuild/rpmbuild/BUILD/python-gevent-24.10.3-build/BUILDROOT/usr/lib64/python3.11/site-packages/gevent/ssl.py", line 437, in read
[  147s]       bytes_read += self._sslobj.read(nbytes, buffer)
[  147s]                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[  147s]   BrokenPipeError: [Errno 32] Broken pipe
[  147s]   2025-04-20T23:39:43Z <Greenlet at 0x7f5d518b5d90: _handle_and_close_when_done(<bound method StreamServer.wrap_socket_and_handle , <bound method StreamServer.do_close of <SimpleStre, (<gevent._socket3.socket [closed] at 0x7f5d50cfae5)> failed with BrokenPipeError

Please, let me know if you need more info. TIA

@jamadden
Copy link
Member

I am unable to reproduce this on Python 3.13.3 with OpenSSL 3.5.0 on either macOS or Linux (the manylinux 2014 image, in which I manually upgraded OpenSSL). Which specific test is failing, and how is it failing? (i.e., what's the rest of the log?)

That aside, it's not clear to me that the approach in this PR is correct. EPIPE/BrokenPipeError means the remote connection has dropped unexpectedly; this is a layer below the SSL framing layer. Typically, you want this exception to propagate so the user of the socket knows there's been a problem; the standard library didn't add any code to hide this error when it occurs.

@pmgdeb
Copy link
Author
pmgdeb commented Apr 24, 2025

Hi, it fails in python311 but not for newer python versions. Here is a good build and the attached file contains the build failure with OpenSSL 3.5.0.
gevent_log.txt

Thanks for you answer, I also think this should be handled only in the regression test and not in src/gevent/ssl.py to correctly propagate the exception. I'll change the PR as soon as possible.

@jamadden
Copy link
Member

The logs you provided don't show an error in gevent's test__server.py. Instead, they show several errors in the standard library's test_ssl.py, all of type ConnectionRefusedError.

I can indeed reproduce that failure using Python 3.11.12 and OpenSSL 3.5.0. (And I can't produce a failure in test__server.py).

However, I reproduce that failure whether or not I use gevent. That is, python -m gevent.testing.monkey_test test_ssl.py (to run the test with gevent) and python -m test.test_ssl (to run the unchanged standard library test) produce the same ConnectionRefusedError.

This indicates it is not a problem in gevent. Instead, it is a problem using Python 3.11.12 (which is only tested with OpenSSL 3.0) with OpenSSL 3.5.

@jamadden
Copy link
Member

The relevant CPython change appears to be this one, which appears to only have been backported to 3.12, not 3.11 or older, probably because those versions are either in security-fix-only mode or unsupported altogether.

@pmgdeb
Copy link
Author
pmgdeb commented Apr 25, 2025

I think gevent is running a copy of the test_ssl.py from cpython but its missing this recent commit: gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError in ConnectionHandler;. This cpython PR was ported to 3.12 and 3.13 but not for 3.11.

I have verified that adding those changes fixes it for 3.12 and 3.13 as well with the latest version. Note that, it was failing for us with 3.11 as we ported some of the fixes in 3.12 to work with OpenSSL 3.5.0.

I think you would need to update the test_ssl to sync with cpython, I can change this PR to add those changes. Please, let me know your view on this. TIA

@pmgdeb
Port the cpython changes to the test_ssl in gh-126500:
7ea6fa7 
test_ssl: Don't stop ThreadedEchoServer on OSError in ConnectionHandler
@pmgdeb pmgdeb force-pushed the openssl_3_5_0-BrokenPipe branch from 4dd56d8 to 7ea6fa7 Compare April 25, 2025 10:14
@jamadden
Copy link
Member

We don't make changes to the standard library tests. We don't backport changes the coredevs don't.

bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Apr 25, 2025
@bmwiedemann
Update python-gevent to version 25.4.2 / rev 55 via SR 1272752
ed0f4bc 
https://build.opensuse.org/request/show/1272752
by user mcepl + anag_factory
- Update to 25.4.2: [bsc#1241067, bsc#1241037]
  * Make gevent's queue classes subscriptable to match the standard
    library. See issue #2102.
  * Make the c-ares resolver build on Windows.
  * The gevent testsuite runs a copy of the test_ssl from cpython but
    the follwoing change has not been ported yet:
    - gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError
      in ConnectionHandler [gh#python/cpython/pull/126503]
    - Rebase gevent-openssl35-test-fix.patch
    - Upstream PR: [gh#gevent/gevent/pull/2103]

- Update to 25.4.1
  * Remove some legacy code that supported Python 2 for compatibility
    with the upcoming releases of Cython 3.1.
  * Add a new environment variable and configuration setting to control
    whether blocking reports are printed by the monitor threa
@mcepl
Copy link
mcepl commented Apr 28, 2025
edited
Loading

We don't make changes to the standard library tests. We don't backport changes the coredevs don't.

Couldn’t you just USE the standard library tests? I don’t know what happens when you build from the Python upstream tarball, but most distributions I know about have some package like (on openSUSE) called python311-testsuite which includes installed test/ subdirectory. Then all the patching etc. would be on the distro maintainers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pmgdeb @jamadden @mcepl
0