This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Add support for export_keying_material to SSL library
Type: enhancement Stage: patch review
Components: SSL Versions: Python 3.10
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: eighthave, wingel71
Priority: normal Keywords: patch

Created on 2019-08-26 08:49 by wingel71, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 25255 open wingel71, 2021-04-07 13:57
Messages (9)
msg350512 - (view) Author: Christer Weinigel (wingel71) * Date: 2019-08-26 08:49
Add support for the export_keying_material function to the SSL library.

Tested with Python 3.7.4 and Python master branch:

Is this the correct format for a patch?  Should I include the automatically generated clinic changes in my patch or not?  What about the "versionadded::" string in the documentation?  Should I include a line like that or does it only generate unneccessary conflicts?  Anything else I need to do?
msg350513 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-08-26 09:16
Could you please explain the purpose of the feature and why you want to expose the interface? What's the use case?

As this is a new feature, Python 3.7 and 3.8 are out of scope.
msg350514 - (view) Author: Christer Weinigel (wingel71) * Date: 2019-08-26 09:31
I'm doing an implementation of the NTS protocol for my customer Netnod:

NTS is draft RFC on its way to become a standard:

NTS requires the export_keying_material functionality as described in RFC5705.

Basically it's a part of the TLS standard, is used by 10 existing protocols with more on the way.  And I can't implement a NTS key establishment server or client without the function.  That's why I added the functionality and verified that it works both with the stable 3.7.4 release and with the master branch of the cpython repository.

I tested with 3.7.4 first on my machine because that's the release of Python that comes with Ubuntu and I wanted to have as few differences as as possible compared to the distribution version.  I then forward ported the patch to the master branch and verified that my NTS implementation still works with that branch.
msg390433 - (view) Author: Christer Weinigel (wingel71) * Date: 2021-04-07 13:51
OpenSSL has a function to "SSL_export_keying_material" as described in RFC5705.  This functionality is needed to be able to support a bunch of other protocols such as "Network Time Security for the Network Time Protocol" which has now become a proper RFC as RFC8915.  There are half a dozen other RFCs which also use this functionality.

I have written a patch to add support for this function which can be found on github:

And it is used in my implementation of the NTS procotol which can also be found on github:

It would be very nice if mainline Python could support for this function in the future so that I don't have to maintain a patched version of Python for this.
msg415553 - (view) Author: Hans-Christoph Steiner (eighthave) Date: 2022-03-19 14:32
We're working on the HTTP Transport Auth draft ( in the IETF that also needs this method.  I would really love to see this land, any advice?  If it is just a matter of updating the patch for the current Python, I can probably handle that.
msg415569 - (view) Author: Christer Weinigel (wingel71) * Date: 2022-03-19 20:53

unfortunately the maintainer of the openssl library in Python doesn't
want to take my patch.  He says that he doesn't want the burden of
supporting more functions in the API.  I'm a bit frustrated about the
whole situation, I've redone my patch over and over again for at least
six months just to receive no feedback at all and to finally be told
that it was all in vain.  If you add a comment to the merge request
saying that you also need that functionality it might help to change
his mind, but probably not.  But it would show that it's not only me
that would like to be able to use that function.

I have kept my patch up to date up to a few weeks ago so unless
something major has happened it ought to apply fairly cleanly to the
latest mainline branch of python.

Usually there will be conflict due to an automatically generated
checksum at the end of the file _ssl.c.h but to get around that, just
skip that part of the patch and rerun "clinic" to regenerate the
checksum.  Here's what I usually do to build and test my patch:

./configure --prefix=/opt/python-master

python3 Tools/clinic/ -f Modules/_ssl.c
make -j24
make install


On Sat, 2022-03-19 at 14:32 +0000, Hans-Christoph Steiner wrote:
> Hans-Christoph Steiner <> added the comment:
> We're working on the HTTP Transport Auth draft
> (
> ) in the IETF that also needs this method.  I would really love to
> see this land, any advice?  If it is just a matter of updating the
> patch for the current Python, I can probably handle that.
> ----------
> nosy: +eighthave
> _______________________________________
> Python tracker <>
> <>
> _______________________________________
msg415579 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-03-19 22:42
Neither venting frustration at my expense nor emotional blackmail is going to increase the likeliness, that I will spend my limited personal time to review a patch for a new feature. Feel free to find another core dev who is willing to land and maintain your patch.
msg415585 - (view) Author: Christer Weinigel (wingel71) * Date: 2022-03-19 23:32
Sorry about the venting, but it is kind of frustrating to spend months
working on something with no feedback just to be told that it all was
for nothing.  But that's how it is.  I'll just keep updating my path
every now and then since I need it anyway and don't want my application
to fall too far behind compared to mainstream Python.

My point is mostly that that export_keying_material is starting to be
used in more IETF RFCs.  The most recent one was accepted just a few
weeks ago.  I think that is a bit of a shame that Python doesn't have
support for that functionality out of the box.  If enough people say
it's useful for them maybe that would influence your decision.

As for the rest of my mail.  Since I am trying to keep my patch sort of
up date, I might as well point to it and explain how to use it. 
Hopefully that will reduce your support burden since it will allow
those who need that functionality to build a Python interpreter on
their own.
msg415604 - (view) Author: Hans-Christoph Steiner (eighthave) Date: 2022-03-20 14:18
I understand the frustrations here, but this is really not a place to vent, since that only harms everyone's interests.  When a core maintainer voices concerns or questions, they need to be addressed.  This goes for any project.

I'll see if I can contribute to, that would also work for exporting keying material.
Date User Action Args
2022-04-11 14:59:19adminsetgithub: 82133
2022-03-20 14:18:50eighthavesetmessages: + msg415604
2022-03-19 23:32:06wingel71setmessages: + msg415585
2022-03-19 22:44:14christian.heimessetnosy: - christian.heimes
2022-03-19 22:42:30christian.heimessetassignee: christian.heimes ->
messages: + msg415579
nosy: christian.heimes, wingel71, eighthave
2022-03-19 20:53:15wingel71setmessages: + msg415569
2022-03-19 14:32:15eighthavesetnosy: + eighthave
messages: + msg415553
2021-04-07 13:57:39wingel71setkeywords: + patch
stage: patch review
pull_requests: + pull_request23991
2021-04-07 13:51:42wingel71setmessages: + msg390433
versions: + Python 3.10, - Python 3.9
2019-08-26 09:31:13wingel71setmessages: + msg350514
2019-08-26 09:16:27christian.heimessetmessages: + msg350513
versions: - Python 3.7
2019-08-26 08:49:04wingel71create