Handle socket errors when sending HTTP-over-HTTPS error responses

When a client sends plaintext HTTP to a TLS-only port, the SSL layer
detects the invalid handshake and may close the underlying socket.
The server attempts to send a 400 Bad Request error response, but the
socket may already be closed, causing OSError during the flush.

With pyOpenSSL, the response usually succeeds. With the builtin SSL
adapter, the socket may be closed before the write can occur.

This fix overrides `_flush_unlocked()` in `StreamWriter` to catch
`OSError` and clear the buffer. This allows:
- The explicit flush to fail gracefully when sending the 400 response
- Object finalization (`__del__`) to complete without errors

Author: webknjaz

cheroot/connections.py

@@ -327,6 +327,8 @@ def _from_server_socket(self, server_socket):  # noqa: C901  # FIXME
                     wfile = mf(s, 'wb', io.DEFAULT_BUFFER_SIZE)
                     try:
                         wfile.write(''.join(buf).encode('ISO-8859-1'))
+                        wfile.flush()
+                        wfile.close()
                     except OSError as ex:
                         if ex.args[0] not in errors.socket_errors_to_ignore:
                             raise

cheroot/makefile.py

@@ -68,6 +68,29 @@ def write(self, val, *args, **kwargs):
         self.bytes_written += len(val)
         return res
 
+    def _flush_unlocked(self):
+        """
+        Flush buffered output to the underlying socket.
+
+        We override this method because when a client sends plaintext HTTP
+        to a TLS-only port, SSL detects a bad handshake and may
+        invalidate the underlying socket. At that point, the socket
+        may not be writable at the moment of flush. Attempting to write
+        (e.g., sending a 400 Bad Request) may succeed or raise OSError.
+        This override prevents OSError from propagating and clears the buffer
+        to prevent further write attempts.
+        """
+        try:
+            super()._flush_unlocked()
+        except OSError:
+            # The socket is already closed or otherwise unusable (e.g. TLS
+            # fatal alert triggered by invalid pre-handshake plaintext).
+            #
+            # Clearing the buffer prevents additional write attempts during
+            # object finalization (BufferedWriter.__del__), avoiding noisy
+            # OSError reports at interpreter shutdown.
+            self._write_buf.clear()
+
 
 def MakeFile(sock, mode='r', bufsize=io.DEFAULT_BUFFER_SIZE):
     """File object attached to a socket object."""

cheroot/server.py

@@ -1370,6 +1370,7 @@ def _handle_no_ssl(self, req):
             'this server only speaks HTTPS on this port.'
         )
         req.simple_response('400 Bad Request', msg)
+        self.wfile.flush()
         self.linger = True
 
     def _conditional_error(self, req, response):

cheroot/test/test_ssl.py

@@ -713,7 +713,6 @@ def test_https_over_http_error(http_server, ip_addr):
         pytest.param(ANY_INTERFACE_IPV6, marks=missing_ipv6),
     ),
 )
-@pytest.mark.flaky(reruns=3, reruns_delay=2)
 # pylint: disable-next=too-many-positional-arguments
 def test_http_over_https_error(
     http_request_timeout,
@@ -726,12 +725,6 @@ def test_http_over_https_error(
     tls_certificate_private_key_pem_path,
 ):
     """Ensure that connecting over HTTP to HTTPS port is handled."""
-    # disable some flaky tests
-    # https://github.com/cherrypy/cheroot/issues/225
-    issue_225 = IS_MACOS and adapter_type == 'builtin'
-    if issue_225:
-        pytest.xfail('Test fails in Travis-CI')
-
     if IS_LINUX:
         expected_error_code, expected_error_text = (
             104,

docs/changelog-fragments.d/802.bugfix.rst

@@ -0,0 +1,3 @@
+Fixed socket errors when clients send HTTP to HTTPS-only ports.
+
+-- by :user:`julianz-`

docs/spelling_wordlist.txt

@@ -40,6 +40,7 @@ netloc
 noqa
 PIL
 pipelining
+plaintext
 positionally
 pre
 preconfigure