I failed to reproduce https://bugs.python.org/issue43921#msg391677 failure locally on my Windows 10 VM. I used the command:

python -m test test_ssl -m test_wrong_cert_tls13 -v -F -j4

I also ran the same command (./python -m test test_ssl -m test_wrong_cert_tls13 -v -F -j4) on Linux, just in case I can reproduce it on Linux.

On Windows and Linux, I see that the client manages to write 4 bytes and then get a SSL error on the first read() call.

Maybe the issue is that write() and read() results are not checked by the test.

Seen on Windows: the first read() returned an empty string, but the test still pass since the second write() raised an SSL exception.

test_wrong_cert_tls13 (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 54508)
write1 4
recv1 0

SSLError is SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:2370)')

 server:  bad connection attempt from ('127.0.0.1', 54508):
Traceback (most recent call last):
   File "C:\vstinner\python\main\lib\test\test_ssl.py", line 2364, in wrap_conn
    self.sslconn = self.server.context.wrap_socket(
   File "C:\vstinner\python\main\lib\ssl.py", line 518, in wrap_socket
    return self.sslsocket_class._create(
   File "C:\vstinner\python\main\lib\ssl.py", line 1070, in _create
    self.do_handshake()
   File "C:\vstinner\python\main\lib\ssl.py", line 1339, in do_handshake
    self._sslobj.do_handshake()
 ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:983)
ok

If I remove the first read() to only keep the second one, I can more easily reproduce the issue on Windows. The second read() returned an empty string and the test failed because no SSL exception was raised:

write1 4
write2 26

 server:  bad connection attempt from ('127.0.0.1', 54565):
Traceback (most recent call last):
   File "C:\vstinner\python\main\lib\test\test_ssl.py", line 2364, in wrap_conn
    self.sslconn = self.server.context.wrap_socket(
   File "C:\vstinner\python\main\lib\ssl.py", line 518, in wrap_socket
    return self.sslsocket_class._create(
   File "C:\vstinner\python\main\lib\ssl.py", line 1070, in _create
    self.do_handshake()
   File "C:\vstinner\python\main\lib\ssl.py", line 1339, in do_handshake
    self._sslobj.do_handshake()
 ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:983)
recv2 0
FAIL

The question is now why read() doesn't return an empty string on Linux, but it does on Windows.

read() error

• (A) when SSL_read_ex() fails with ssl error 1 (SSL_ERROR_SSL) and ERR_peek_last_error()=0x14094418, a SSLError(1, '[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2528)') exception is raised.
• (B) when SSL_read_ex() fails with ssl error 5 (SSL_ERROR_SYSCALL) and Windows error 10054 (WSAECONNRESET), an SSLEOFError exception is raised. But SSLSocket.read() catchs this exception and returns it with an empty string, since the SSLSocket is created with suppress_ragged_eofs=True.

I saw (A) on Windows and Linux.

I only saw (B) on Windows.

write() error

• (C) when SSL_write_ex() fails with ssl error 5 (SSL_ERROR_SYSCALL) and C errno 104 (ECONNRESET), SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:2373)') is raised
• (D) when SSL_write_ex() fails with ssl error 5 (SSL_ERROR_SYSCALL) and Windows error 10054 (WSAECONNRESET): SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:2373)') is raised

I only saw (C) on Linux.

I only saw (D) on Windows.

I both cases, it's SSLEOFError.

I created PR #26502 to fix the issue.