bpo-31711: Fix for calling SSLSocket.send with empty input. by rkondratenko · Pull Request #7559 · python/cpython

I see a potential issue with this patch. Simply speaking, TLS/SSL has two different kinds of messages. There is application data and protocol data. SSL_write and SSL_read not only transmits application data, but they also flush and check for protocol data. That's why a read operation may also send data and a write operation may also read data.

This patch breaks the assumption that send() also takes care of protocol data. With TLS 1.2, it's not a big issue. Most critical protocol data like session and client cert auth are handled in the TLS handshake. However in TLS 1.3, the server side sends a TLS client auth request much later. Usually it occurs after the first write. Speaking of handshake, with this patch, send() may no longer establish a handshake with do_handshake_on_connect=False, too.

I'm -1 on this patch. Let's figure out how to flush / check protocol data and handle implicit handshake correctly.