Skip to content

Commit 21ea257

Browse files
authored
Merge pull request #3097 from CoolCat467/dtls-2024
Remove 2nd client hello post openssl 1.1.1 bug workaround
2 parents af010af + 914b9e8 commit 21ea257

File tree

2 files changed

+1
-17
lines changed

2 files changed

+1
-17
lines changed

newsfragments/3097.removal.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Remove workaround for OpenSSL 1.1.1 DTLS ClientHello bug.

src/trio/_dtls.py

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -734,23 +734,6 @@ async def handle_client_hello_untrusted(
734734
# after all.
735735
return
736736

737-
# Some old versions of OpenSSL have a bug with memory BIOs, where DTLSv1_listen
738-
# consumes the ClientHello out of the BIO, but then do_handshake expects the
739-
# ClientHello to still be in there (but not the one that ships with Ubuntu
740-
# 20.04). In particular, this is known to affect the OpenSSL v1.1.1 that ships
741-
# with Ubuntu 18.04. To work around this, we deliver a second copy of the
742-
# ClientHello after DTLSv1_listen has completed. This is safe to do
743-
# unconditionally, because on newer versions of OpenSSL, the second ClientHello
744-
# is treated as a duplicate packet, which is a normal thing that can happen over
745-
# UDP. For more details, see:
746-
#
747-
# https://github.com/pyca/pyopenssl/blob/e84e7b57d1838de70ab7a27089fbee78ce0d2106/tests/test_ssl.py#L4226-L4293
748-
#
749-
# This was fixed in v1.1.1a, and all later versions. So maybe in 2024 or so we
750-
# can delete this. The fix landed in OpenSSL master as 079ef6bd534d2, and then
751-
# was backported to the 1.1.1 branch as d1bfd8076e28.
752-
stream._ssl.bio_write(packet)
753-
754737
# Check if we have an existing association
755738
old_stream = endpoint._streams.get(address)
756739
if old_stream is not None:

0 commit comments

Comments
 (0)