classification
Title: SSL session management
Type: enhancement Stage: needs patch
Components: Extension Modules Versions: Python 3.6
process
Status: closed Resolution: duplicate
Dependencies: 8550 Superseder: Add client-side SSL session resumption
View: 19500
Assigned To: Nosy List: WadeC, christian.heimes, dstufft, fweimer, giampaolo.rodola, janssen, jcea, lilydjwg, mladen.milosevic, pitrou
Priority: normal Keywords:

Created on 2010-03-10 01:20 by jcea, last changed 2016-09-08 15:28 by christian.heimes. This issue is now closed.

Messages (5)
msg100777 - (view) Author: Jesús Cea Avión (jcea) * (Python committer) Date: 2010-03-10 01:20
Current SSL module doesn't manage SSL sessions, so any connection must do the full SSL handshake.

SSL/TLS support session restarting, when an old SSL context is used in a new connection, so you don't need to do the full SSL handshake.

This is a huge performance improvement.

I think SSL module should keep a small pool of sessions in core, to reuse. Better yet:

a) In SSL sockets, a method should be added to get the SSL context.

b) When creating a SSL socket, in client mode, a new optional parameter should be accepted, for a SSL context.

c) When creating a SSL socket, in server mode, we have two options: a) provide a dictionary or similar, with different contexts for possible clients connections or, better b) provide a callback the SSL module will call when getting an incoming connection, with a session ID as a parameter. The callback can provide a session SSL state or "None". This second approach allow for session management, like expiration or persistence to disk.

(the second option is equivalent to the first if the dict-like object includes this logic inside)

What do you think?.
msg104368 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-27 21:39
issue8550 is probably a prerequisite for implementing this properly.
msg118438 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-10-12 17:15
http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html suggests that SSL session caching already occurs by default in server mode:

“SSL_SESS_CACHE_SERVER

    Server sessions are added to the session cache. When a client proposes a session to be reused, the server looks for the corresponding session in (first) the internal session cache (unless SSL_SESS_CACHE_NO_INTERNAL_LOOKUP is set), then (second) in the external cache if available. If the session is found, the server will try to reuse the session. This is the default.”


A nice and easy thing to do would be to export the statistics given by http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html# .
msg216685 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-04-17 11:09
Ok, I propose the following plan:
- add a new opaque type allowing to wrap a SSL_SESSION
- add a get_session() method to SSLSocket, returning the current session
- add an optional "session=..." parameter to SSLContext.wrap_socket, allowing to specify a session which we hope to reuse during the handshake

There is however, one complication (from OpenSSL man pages):

"""SSL_SESSION objects keep internal link information about the session cache list, when being inserted into one SSL_CTX object's session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object)."""

So we would somehow also need to keep a pointer to the SSL context in our session object wrapper, and check that the session isn't reused with another context... (yuck)
msg275049 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 15:28
I'm going to implement sessions in #19500.
History
Date User Action Args
2016-09-08 15:28:50christian.heimessetstatus: open -> closed
versions: + Python 3.6, - Python 3.5
superseder: Add client-side SSL session resumption
messages: + msg275049

resolution: duplicate
2015-07-15 20:02:14mladen.milosevicsetnosy: + mladen.milosevic
2015-04-13 17:23:02lilydjwgsetnosy: + lilydjwg
2014-04-17 11:09:25pitrousetmessages: + msg216685
2014-04-17 10:47:27pitrousetversions: + Python 3.5, - Python 3.3
2013-08-24 22:51:47dstufftsetnosy: + dstufft
2013-06-13 23:51:12christian.heimessetnosy: + christian.heimes
2013-04-09 20:27:17WadeCsetnosy: + WadeC
2013-03-08 08:48:07fweimersetnosy: + fweimer
2010-12-14 21:32:19pitrousetversions: + Python 3.3, - Python 3.2
2010-10-12 17:15:37pitrousetmessages: + msg118438
2010-04-28 10:03:31giampaolo.rodolasetnosy: + giampaolo.rodola
2010-04-27 21:39:25pitrousetversions: - Python 2.7
nosy: + pitrou

messages: + msg104368

dependencies: + Expose SSL contexts
stage: needs patch
2010-03-10 04:38:42brian.curtinsetpriority: normal
nosy: + janssen
2010-03-10 01:20:51jceacreate