cpython has had TLS session support since 3.6, using the SSLContext.wrap_* methods. Unfortunately, this support is not available when using asyncio's create_connection.

While I've managed to monkeypatch asyncio.sslproto._SSLPipe from my own code (it's a filthy hack but it's short and it gets the job done) running on 3.6.6, I feel this should be properly supported out of the box.

A patch is ready (tests work), a github PR will be created shortly.

Notes in no particular order:
- argument and attribute naming is all over the place, but I could not decide between "sslsession" (matching "sslcontext") and "ssl_session" (matching "ssl_handshake_timeout") so I just picked one
- tested on jessie (with openssl 1.0.2 from jessie-backports) and on gentoo
- the new asyncio tests added in the patch are adapted from test_ssl.py's test_session, with the server-side stats left out. I felt they were not useful if one assumes that the hard work is done by SSLContext.wrap_*.
- I did not reuse test_asyncio.utils.run_test_server which AIUI creates a new server-side context for each incoming connection, thus breaking sessions completely

TIA for considering this bug and patch

TLS session support is awesome.

IFAIK ssl_proto.py is under heavy reconstruction now.
Please coordinate your work with Yuri.

Hi Andrew,

How should I proceed? What's the best avenue to get in touch with Yuri?

Thanks

Don't use the existing session feature, yet. It only works for TLS 1.2 connections. TLS 1.3 behaves differently. There are multiple session tickets (usually two) and tickets are sent after handshake. Further more, Python lacks clear shutdown of a connection, which causes further problems with session handling. See https://www.openssl.org/docs/manmaster/man3/SSL_get_session.html

Hi Christian,

Could you tell me more about this new openssl API? Right now my patch works with whatever the ssl module provides. Are you suggesting the ssl module is in some way incomplete? Would supporting TLS 1.3 sessions be incompatible with the current session API?

I'd like to help wherever possible, but I'm probably missing some context and/or knowledge around all things TLS in cpython.

Thanks

The session code of the ssl is not compatible with TLS 1.3. Actually the whole API doesn't work with TLS 1.3. In TLS 1.2 and before, sessions had multiple security implications. For example they break PFS.

TLS 1.3 changed when sessions are exchanged and how session are resumed. Session data is no longer part of the handshake. Instead the server can send session tickets at any point after the handshake. A server can send multiple tickets (usually two) and tickets must only be reused once.

So, IOW, the ssl module needs a good shakeup wrt TLS 1.3 sessions before any asyncio work can be merged.  Am I getting this right?

In which case, a whole other issue/PR is needed and possibly better folks than me.  I try to stay clear of low-level crypto APIs because I don't trust myself to get things right.  Well… I certainly can look at it, but I fear I may be punching above my weight with this.

Christian, do you think the sessions support shouldn't be added to asyncio in 3.8?

Anything I can do to get the ball rolling?  Let me know who to get in touch with and *how*, and I will.  Thanks