Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#1275 Add OpenSSL.SSL.Connection.session_reused API. #1276

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

#1275 Add OpenSSL.SSL.Connection.session_reused API. #1276

wants to merge 2 commits into from

Conversation

adiroiban
Copy link

@adiroiban adiroiban commented Dec 9, 2023
edited
Loading

Scope

Fixes #1275

This add the SSL.Connection API added in pyca/cryptography#9969

Changes

Add the API as int, not at boolean. Maybe it should be boolean.

Add tests for TLS 1.2 and TLS 1.3

In TLS 1.3 the master key is not the same for reused session.

Still WIP

adiroiban
adiroiban commented Dec 9, 2023
View reviewed changes
CHANGELOG.rst

- Added ``OpenSSL.SSL.Connection.session_reused()`` to query whether the
current session was reused during the last handshake.
[`#1275 <https://github.com/pyca/pyopenssl/issues/1275>`_]
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know if you want a link to a PR.

I have created the changelong before creating the PR... so at that time, I didn't had a PR ID.

adiroiban
adiroiban commented Dec 9, 2023
View reviewed changes
src/OpenSSL/SSL.py

:returns: int

.. versionadded:: NEXT
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure in which version it will be released.

adiroiban
adiroiban commented Dec 9, 2023
View reviewed changes
src/OpenSSL/SSL.py
Retruns `0` when a new session was negotiated.
Returns `1` when a the session was reused.

:returns: int
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went with upstream API, but maybe is best to return a bool

adiroiban
adiroiban commented Dec 9, 2023
View reviewed changes
tests/test_ssl.py

assert connection.session_reused() == 0

def test_client_set_session_tls1_2(self):
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went with both TLS 1.2 and 1.3 tests since the session handling is a big different.

I will refactor the tests to share more code.

adiroiban
adiroiban commented Dec 10, 2023
View reviewed changes
tests/test_ssl.py
# I have no idea why it works when server-side cache is disabled.
# I guess that this might be because server and client are in the
# same process.
server_ctx.set_session_cache_mode(SSL.SESS_CACHE_OFF)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went with explicit context for server and client.

Somehow for this test for TLS 1.2, it works even when cache is off.

For my end to end test, in which I use 2 separate processes, the server cache needs to be enabled for session reuse.

adiroiban
adiroiban commented Dec 10, 2023
View reviewed changes
tests/test_ssl.py
assert originalServer.master_key() == resumedServer.master_key()
assert originalClient.master_key() == resumedClient.master_key()

def test_client_set_session_tls1_3(self):
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no idea why tls 1.3 fails in this test.

I have it working in a separate manual proof of concept code, in which I have the server with pyOpenSSL and the client is curl.

@adiroiban adiroiban mentioned this pull request Dec 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use SSL_session_reused API
1 participant
@adiroiban