Fix ssl shutdown by youknowone · Pull Request #6871 · RustPython/RustPython
📝 Walkthrough
Walkthrough
Reworks TLS shutdown: BIO path uses a single SSL_shutdown call; socket path performs a deadline-driven loop that flushes close_notify, waits for peer close_notify using select/timeout handling, maps SSL_WANT_* to SSLWant errors or timeouts, and returns the underlying socket on socket-mode shutdown.
Changes
| Cohort / File(s) | Summary |
|---|---|
OpenSSL shutdown logic crates/stdlib/src/openssl.rs |
Split BIO vs socket modes: BIO uses a single SSL_shutdown and maps errors; socket mode loops SSL_shutdown with deadline/select waits, maps SSL_get_error to SSL_ERROR_WANT_READ/WRITE, handles readiness/timeouts/closed sockets, and may return the underlying socket. |
TLS shutdown sequencing crates/stdlib/src/ssl.rs |
Expanded shutdown from one-shot flush to TLS-aware sequence: flush close_notify, set deadline when present, loop waiting for peer close_notify with per-iteration readiness/timeouts, process TLS records, then mark Completed, clear connection, and return socket or timeout. |
Thread registry cleanup after fork crates/vm/src/stdlib/thread.rs |
Added cleanup of shutdown_handles in after_fork_child: drop dead entries, mark non-current started threads Done, notify waiters, and remove stale entries to avoid waiting on phantom threads in child process. |
Sequence Diagram(s)
sequenceDiagram
participant App as Application
participant TLS as TLS Layer
participant Socket as Socket
participant Selector as Select/Deadline
App->>TLS: shutdown(timeout)
TLS->>TLS: flush pending TLS data\nsend close_notify
alt BIO mode
TLS->>TLS: SSL_shutdown (single call)
TLS-->>App: return Ok(None) or error
else Socket mode (non-blocking)
TLS->>TLS: mark Completed\nclear connection
TLS-->>App: return Ok(Some(socket))
else Socket mode (blocking/timeout)
loop until peer close_notify or deadline
TLS->>Selector: wait socket readiness (deadline)
Selector-->>TLS: ready / timeout
alt timeout
TLS->>TLS: mark Completed\nclear connection
TLS-->>App: return timeout_error or Ok(Some(socket))
else ready
TLS->>Socket: read/process TLS data
Socket-->>TLS: data / EOF
TLS->>TLS: detect peer close_notify?
alt peer close_notify seen
TLS->>TLS: mark Completed\nclear connection
TLS-->>App: return Ok(Some(socket))
else continue loop
end
end
end
end
Estimated code review effort
🎯 4 (Complex) | ⏱️ ~60 minutes
Possibly related PRs
- Share more ssl consts and fix openssl #6462: Modifies
SSL_shutdownhandling and WANT_* mapping—closely related to openssl.rs changes. - Fix SSL handshake partial send #6635: Touches TLS shutdown/close_notify flow and deadline/select waiting—overlaps with ssl.rs changes.
- Drop for PySSLSocket #6791: Adjusts shutdown state management in
ssl.rsand connection cleanup—related to ShutdownState semantics.
Suggested reviewers
- ShaharNaveh
Poem
🐰 I sent a gentle whisper, soft and tight,
Timed my hops beneath the moonlit night,
I peeked, I waited, then let go the thread,
Socket freed — the handshake tucked to bed,
Hooray! I hop away, all tidy and light.
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Title check | ✅ Passed | The title 'Fix ssl shutdown' directly corresponds to the main changes in the pull request, which focus on reworking SSL_shutdown handling across multiple files. |
| Docstring Coverage | ✅ Passed | Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%. |
✏️ Tip: You can configure your own custom pre-merge checks in the settings.
✨ Finishing touches
- 📝 Generate docstrings
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.