CherryPy/Cheroot SSL Built-in Adapter Causing Port Contention with Netcat

[PraveenKumarVN]

I'm encountering an issue with CherryPy's built-in SSL adapter where it seems to cause port contention with netcat. When I run a CherryPy server with SSL enabled using the built-in adapter, and establish a TCP connection using netcat nc localhost 8080 without performing TLS handshake, not able to access the application via browser or any other client until I complete the TLS handshake in netcat. However, if I switch to using PyOpenSSL, able to access the application via other clients while TLS handshake is not yet done in TCP connection via netcat.

I'm not sure why the built-in SSL adapter is causing this behavior, but it seems to be related to how it manages SSL connections or handles socket bindings.

Has anyone encountered a similar issue with CherryPy's built-in SSL adapter? Any insights or suggestions on how to resolve or further debug this issue would be greatly appreciated.

Thank you!

❓ I'm submitting a ...

• 🐞 bug report
• 🐣 feature request
• ❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?

Here's a summary of the setup and behavior:

• I have a CherryPy application configured to use SSL with the built-in adapter.
• When I start the CherryPy server, it binds to the specified port with SSL enabled.
• Access the URL https://localhost:8080/ in browser, returns "Hello, world!"
• Execute nc localhost 8080 in a terminal
• Access the URL https://localhost:8080/ again in browser, it hangs.
• Terminate ctrl+c the nc command in terminal, "Hello, world!" is returned in the browser.
• But if change to cherrypy.server.ssl_module = 'pyopenssl', with TCP connection established using nc, able to access the URL in the browser and other clients.

Please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.

class YourApp:
    @cherrypy.expose
    def index(self):
        return "Hello, world!"


if __name__ == '__main__':
    # Configuration
    cherrypy.config.update({
        'server.thread_pool': 10,  # Number of threads in the pool
        'server.socket_host': '0.0.0.0',  # Bind to all interfaces
        'server.socket_port': 8080,  # Port to listen on
        'server.socket_timeout': 60
    })

    cherrypy.server.ssl_module = 'builtin'  # Use the built-in SSL module
    cherrypy.server.ssl_certificate = 'cert.pem'  # Path to your SSL certificate
    cherrypy.server.ssl_private_key = 'key.pem'

    cherrypy.quickstart(YourApp(), '/')

💡 Expected behavior

App should server requests even if a connection handshake is in progress

📋 Details

📋 Environment

• Cheroot version: 10.0.1
• CherryPy version: 18.9.0
• Python version: 3.11
• OS: MacOs 14.1
• Browser: all

📋 Additional context

[webknjaz]

Could you attach that Cheroot-only reproducer that I was asking for in #649 (comment)?

[PraveenKumarVN]

Hi @webknjaz Please find below the reproducer only using cheroot

from cheroot import wsgi
from cheroot.ssl.builtin import BuiltinSSLAdapter

def my_crazy_app(environ, start_response):
    status = '200 OK'
    response_headers = [('Content-type', 'text/plain')]
    start_response(status, response_headers)
    return [b'Hello world!']

addr = '0.0.0.0', 8070
certfile = 'cert.pem'
keyfile = 'key.pem'

server = wsgi.Server(addr, my_crazy_app)
server.ssl_adapter = BuiltinSSLAdapter(certfile, keyfile, None)
server.start()

[PraveenKumarVN]

@webknjaz Any update on this?

[webknjaz]

Sorry, I didn't have time to look into it, but if you're able to debug this further, it'd be nice. I wonder if this is related to the stdlib ssl module or to our code… Are you sure it's handshake? Have you tried looking into the network exchange via Wireshark?