Skip to content

gh-142516: fix reference leaks in ssl.SSLContext objects #143685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
picnixz merged 6 commits into from
Feb 21, 2026
Merged

gh-142516: fix reference leaks in ssl.SSLContext objects #143685

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cfca05f
gh-142516: fix reference leaks in `ssl.SSLContext` objects
picnixz Jan 11, 2026
ba02a26
test! add regression tests
picnixz Jan 11, 2026
6b08305
chore! NEWS entry
picnixz Jan 11, 2026
57d4fba
fix tests on Windows
picnixz Jan 11, 2026
9083a84
Merge branch 'main' into fix/ssl/leak-gc-142516
picnixz Feb 7, 2026
02226ce
post-merge
picnixz Feb 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
test! add regression tests
  • Loading branch information
@picnixz
picnixz committed Jan 11, 2026
commit ba02a266b9909d3feb7b257ad1c5f272db167bc1
100 changes: 84 additions & 16 deletions Lib/test/test_ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@
CAN_GET_SELECTED_OPENSSL_SIGALG = ssl.OPENSSL_VERSION_INFO >= (3, 5)
PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')

HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
requires_keylog = unittest.skipUnless(
HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')

PROTOCOL_TO_TLS_VERSION = {}
for proto, ver in (
("PROTOCOL_SSLv3", "SSLv3"),
Expand Down Expand Up @@ -265,34 +269,69 @@ def utc_offset(): #NOTE: ignore issues like #1647654
)


def test_wrap_socket(sock, *,
cert_reqs=ssl.CERT_NONE, ca_certs=None,
ciphers=None, ciphersuites=None,
min_version=None, max_version=None,
certfile=None, keyfile=None,
**kwargs):
if not kwargs.get("server_side"):
kwargs["server_hostname"] = SIGNED_CERTFILE_HOSTNAME
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
else:
def make_test_context(
*,
server_side=False,
check_hostname=None,
cert_reqs=ssl.CERT_NONE,
ca_certs=None, certfile=None, keyfile=None,
ciphers=None, ciphersuites=None,
min_version=None, max_version=None,
):
if server_side:
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
if cert_reqs is not None:
else:
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

if check_hostname is None:
if cert_reqs == ssl.CERT_NONE:
context.check_hostname = False
else:
context.check_hostname = check_hostname

if cert_reqs is not None:
context.verify_mode = cert_reqs

if ca_certs is not None:
context.load_verify_locations(ca_certs)
if certfile is not None or keyfile is not None:
context.load_cert_chain(certfile, keyfile)

if ciphers is not None:
context.set_ciphers(ciphers)
if ciphersuites is not None:
context.set_ciphersuites(ciphersuites)

if min_version is not None:
context.minimum_version = min_version
if max_version is not None:
context.maximum_version = max_version
return context.wrap_socket(sock, **kwargs)

return context


def test_wrap_socket(
sock,
*,
server_side=False,
check_hostname=None,
cert_reqs=ssl.CERT_NONE,
ca_certs=None, certfile=None, keyfile=None,
ciphers=None, ciphersuites=None,
min_version=None, max_version=None,
**kwargs,
):
context = make_test_context(
server_side=server_side,
check_hostname=check_hostname,
cert_reqs=cert_reqs,
ca_certs=ca_certs, certfile=certfile, keyfile=keyfile,
ciphers=ciphers, ciphersuites=ciphersuites,
min_version=min_version, max_version=max_version,
)
if not server_side:
kwargs.setdefault("server_hostname", SIGNED_CERTFILE_HOSTNAME)
return context.wrap_socket(sock, server_side=server_side, **kwargs)


USE_SAME_TEST_CONTEXT = False
Expand Down Expand Up @@ -1730,6 +1769,39 @@ def test_num_tickest(self):
with self.assertRaises(ValueError):
ctx.num_tickets = 1

@support.cpython_only
def test_refcycle_msg_callback(self):
# See https://github.com/python/cpython/issues/142516.
ctx = make_test_context()
def msg_callback(*args, _=ctx, **kwargs): ...
ctx._msg_callback = msg_callback

@support.cpython_only
@requires_keylog
def test_refcycle_keylog_filename(self):
# See https://github.com/python/cpython/issues/142516.
self.addCleanup(os_helper.unlink, os_helper.TESTFN)
ctx = make_test_context()
class KeylogFilename(str): ...
ctx.keylog_filename = KeylogFilename(os_helper.TESTFN)
ctx.keylog_filename._ = ctx

@support.cpython_only
@unittest.skipUnless(ssl.HAS_PSK, 'requires TLS-PSK')
def test_refcycle_psk_client_callback(self):
# See https://github.com/python/cpython/issues/142516.
ctx = make_test_context()
def psk_client_callback(*args, _=ctx, **kwargs): ...
ctx.set_psk_client_callback(psk_client_callback)

@support.cpython_only
@unittest.skipUnless(ssl.HAS_PSK, 'requires TLS-PSK')
def test_refcycle_psk_server_callback(self):
# See https://github.com/python/cpython/issues/142516.
ctx = make_test_context(server_side=True)
def psk_server_callback(*args, _=ctx, **kwargs): ...
ctx.set_psk_server_callback(psk_server_callback)


class SSLErrorTests(unittest.TestCase):

Expand Down Expand Up @@ -5163,10 +5235,6 @@ def test_internal_chain_server(self):
self.assertEqual(res, b'\x02\n')


HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
requires_keylog = unittest.skipUnless(
HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')

class TestSSLDebug(unittest.TestCase):

def keylog_lines(self, fname=os_helper.TESTFN):
Expand Down