classification
Title: add support for tls/ssl sessions in asyncio
Type: enhancement Stage: patch review
Components: asyncio Versions: Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: RemiCardona, asvetlov, christian.heimes, yselivanov
Priority: normal Keywords: patch

Created on 2018-10-13 08:47 by RemiCardona, last changed 2018-11-07 16:24 by RemiCardona.

Pull Requests
URL Status Linked Edit
PR 9840 open RemiCardona, 2018-10-13 09:50
Messages (7)
msg327638 - (view) Author: Rémi Cardona (RemiCardona) * Date: 2018-10-13 08:47
cpython has had TLS session support since 3.6, using the SSLContext.wrap_* methods. Unfortunately, this support is not available when using asyncio's create_connection.

While I've managed to monkeypatch asyncio.sslproto._SSLPipe from my own code (it's a filthy hack but it's short and it gets the job done) running on 3.6.6, I feel this should be properly supported out of the box.

A patch is ready (tests work), a github PR will be created shortly.

Notes in no particular order:
- argument and attribute naming is all over the place, but I could not decide between "sslsession" (matching "sslcontext") and "ssl_session" (matching "ssl_handshake_timeout") so I just picked one
- tested on jessie (with openssl 1.0.2 from jessie-backports) and on gentoo
- the new asyncio tests added in the patch are adapted from test_ssl.py's test_session, with the server-side stats left out. I felt they were not useful if one assumes that the hard work is done by SSLContext.wrap_*.
- I did not reuse test_asyncio.utils.run_test_server which AIUI creates a new server-side context for each incoming connection, thus breaking sessions completely

TIA for considering this bug and patch
msg327641 - (view) Author: Andrew Svetlov (asvetlov) * (Python committer) Date: 2018-10-13 09:01
TLS session support is awesome.

IFAIK ssl_proto.py is under heavy reconstruction now.
Please coordinate your work with Yuri.
msg328243 - (view) Author: Rémi Cardona (RemiCardona) * Date: 2018-10-22 09:21
Hi Andrew,

How should I proceed? What's the best avenue to get in touch with Yuri?

Thanks
msg328244 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-10-22 10:06
Don't use the existing session feature, yet. It only works for TLS 1.2 connections. TLS 1.3 behaves differently. There are multiple session tickets (usually two) and tickets are sent after handshake. Further more, Python lacks clear shutdown of a connection, which causes further problems with session handling. See https://www.openssl.org/docs/manmaster/man3/SSL_get_session.html
msg329407 - (view) Author: Rémi Cardona (RemiCardona) * Date: 2018-11-07 09:45
Hi Christian,

Could you tell me more about this new openssl API? Right now my patch works with whatever the ssl module provides. Are you suggesting the ssl module is in some way incomplete? Would supporting TLS 1.3 sessions be incompatible with the current session API?

I'd like to help wherever possible, but I'm probably missing some context and/or knowledge around all things TLS in cpython.

Thanks
msg329410 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-11-07 10:08
The session code of the ssl is not compatible with TLS 1.3. Actually the whole API doesn't work with TLS 1.3. In TLS 1.2 and before, sessions had multiple security implications. For example they break PFS.

TLS 1.3 changed when sessions are exchanged and how session are resumed. Session data is no longer part of the handshake. Instead the server can send session tickets at any point after the handshake. A server can send multiple tickets (usually two) and tickets must only be reused once.
msg329422 - (view) Author: Rémi Cardona (RemiCardona) * Date: 2018-11-07 16:24
So, IOW, the ssl module needs a good shakeup wrt TLS 1.3 sessions before any asyncio work can be merged.  Am I getting this right?

In which case, a whole other issue/PR is needed and possibly better folks than me.  I try to stay clear of low-level crypto APIs because I don't trust myself to get things right.  Well… I certainly can look at it, but I fear I may be punching above my weight with this.
History
Date User Action Args
2018-11-07 16:24:07RemiCardonasetmessages: + msg329422
2018-11-07 10:08:23christian.heimessetmessages: + msg329410
2018-11-07 09:45:13RemiCardonasetmessages: + msg329407
2018-10-22 10:06:34christian.heimessetnosy: + christian.heimes

messages: + msg328244
versions: + Python 3.8
2018-10-22 09:21:54RemiCardonasetmessages: + msg328243
2018-10-13 09:50:43RemiCardonasetkeywords: + patch
stage: patch review
pull_requests: + pull_request9214
2018-10-13 09:01:44asvetlovsetmessages: + msg327641
2018-10-13 08:47:40RemiCardonacreate