From 6be97154039497a8b0f0b6ac7783ef52eaa56626 Mon Sep 17 00:00:00 2001
From: Anthony Young-Garner <anthony.young-garner@cloudera.com>
Date: Tue, 19 Jan 2021 09:54:27 -0600
Subject: [PATCH 1/2] Uncaught socket exception during timeout handling

---
 cheroot/ssl/pyopenssl.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cheroot/ssl/pyopenssl.py b/cheroot/ssl/pyopenssl.py
index 194fd223fd..574019c9cd 100644
--- a/cheroot/ssl/pyopenssl.py
+++ b/cheroot/ssl/pyopenssl.py
@@ -105,8 +105,14 @@ def _safe_call(self, is_reader, call, *args, **kwargs):  # noqa: C901
             except SSL.WantWriteError:
                 time.sleep(self.ssl_retry)
             except SSL.SysCallError as e:
-                if is_reader and e.args == (-1, 'Unexpected EOF'):
-                    return b''
+                if e.args == (-1, 'Unexpected EOF'):
+                    if is_reader:
+                        return b''
+                    else:
+                        # See #210. Prevents DOS attack caused by
+                        # silent connections lasting beyond connection
+                        # timeout length.
+                        raise errors.FatalSSLAlert(*e.args)
 
                 errnum = e.args[0]
                 if is_reader and errnum in errors.socket_errors_to_ignore:

From f4553d8222ee6a2a362ac2793eefd952ebfe955c Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Tue, 2 Dec 2025 16:30:27 +0000
Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci
---
 cheroot/ssl/pyopenssl.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/cheroot/ssl/pyopenssl.py b/cheroot/ssl/pyopenssl.py
index 574019c9cd..471e7d8d23 100644
--- a/cheroot/ssl/pyopenssl.py
+++ b/cheroot/ssl/pyopenssl.py
@@ -108,11 +108,10 @@ def _safe_call(self, is_reader, call, *args, **kwargs):  # noqa: C901
                 if e.args == (-1, 'Unexpected EOF'):
                     if is_reader:
                         return b''
-                    else:
-                        # See #210. Prevents DOS attack caused by
-                        # silent connections lasting beyond connection
-                        # timeout length.
-                        raise errors.FatalSSLAlert(*e.args)
+                    # See #210. Prevents DOS attack caused by
+                    # silent connections lasting beyond connection
+                    # timeout length.
+                    raise errors.FatalSSLAlert(*e.args)
 
                 errnum = e.args[0]
                 if is_reader and errnum in errors.socket_errors_to_ignore: