Patch incoming. Filing this so there's a bug to attach the PR to.

GH-25309 enabled SSL_OP_IGNORE_UNEXPECTED_EOF by default, with a comment that it restores OpenSSL 1.1.1 behavior, but this wasn't quite right. That option causes OpenSSL to treat transport EOF as the same as close_notify (i.e SSL_ERROR_ZERO_RETURN), whereas Python actually has distinct SSLEOFError and SSLZeroReturnError exceptions. (The latter is usually mapped to a zero return from read.) In OpenSSL 1.1.1, the ssl module would raise them for transport EOF and close_notify, respectively. In OpenSSL 3.0, both act like close_notify.

Linked PRs

• [3.11] GH-95494: Fix transport EOF handling in OpenSSL 3.0 (GH-95495) #103006
• [3.10] GH-95494: Fix transport EOF handling in OpenSSL 3.0 (GH-95495) #103007