Skip to content

gh-134698: Hold a lock when the thread state is detached in ssl #134724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Jul 25, 2025
+89 −50
Merged

gh-134698: Hold a lock when the thread state is detached in ssl #134724

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
4ffb568
Lock when the thread state is detached.
ZeroIntensity May 26, 2025
d0e0668
Add a test.
ZeroIntensity May 26, 2025
16cab83
Add blurb.
ZeroIntensity May 26, 2025
ece939a
Use global constant in the test.
ZeroIntensity May 26, 2025
18da64f
Zero-out the mutex and don't try to reacquire it in a callback.
ZeroIntensity May 26, 2025
4f6928d
Remove generated test file.
ZeroIntensity May 26, 2025
13d2e7d
Lock the context when creating a new SSL socket.
ZeroIntensity May 26, 2025
d2f5cc1
Fix _PySSL_FIX_ERRNO silliness.
ZeroIntensity May 26, 2025
d40d1b4
Merge branch 'main' into fix-ssl-race
gpshead Jul 25, 2025
39323ab
Also update the new `_ssl__SSLSocket_sendfile_impl`
gpshead Jul 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add a test.
  • Loading branch information
@ZeroIntensity
ZeroIntensity committed May 26, 2025
commit d0e066835cbb67d921b2aa4edc9e4e6621474649
19 changes: 19 additions & 0 deletions Lib/test/test_ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1238,6 +1238,25 @@ def getpass(self):
# Make sure the password function isn't called if it isn't needed
ctx.load_cert_chain(CERTFILE, password=getpass_exception)

@threading_helper.requires_working_threading()
def test_load_cert_chain_thread_safety(self):
# gh-134698: _ssl detaches the thread state (and as such,
# releases the GIL and critical sections) around expensive
# OpenSSL calls. Unfortunately, OpenSSL structures aren't
# thread-safe, so executing these calls concurrently led
# to crashes.
ctx = ssl.create_default_context()

def race():
ctx.load_cert_chain("./Lib/test/certdata/keycert.pem")

threads = [threading.Thread(target=race) for _ in range(8)]
with threading_helper.catch_threading_exception() as cm:
with threading_helper.start_threads(threads):
pass

self.assertIsNone(cm.exc_value)

def test_load_verify_locations(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_verify_locations(CERTFILE)
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy