New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL session management #52353
Comments
Current SSL module doesn't manage SSL sessions, so any connection must do the full SSL handshake. SSL/TLS support session restarting, when an old SSL context is used in a new connection, so you don't need to do the full SSL handshake. This is a huge performance improvement. I think SSL module should keep a small pool of sessions in core, to reuse. Better yet: a) In SSL sockets, a method should be added to get the SSL context. b) When creating a SSL socket, in client mode, a new optional parameter should be accepted, for a SSL context. c) When creating a SSL socket, in server mode, we have two options: a) provide a dictionary or similar, with different contexts for possible clients connections or, better b) provide a callback the SSL module will call when getting an incoming connection, with a session ID as a parameter. The callback can provide a session SSL state or "None". This second approach allow for session management, like expiration or persistence to disk. (the second option is equivalent to the first if the dict-like object includes this logic inside) What do you think?. |
bpo-8550 is probably a prerequisite for implementing this properly. |
http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html suggests that SSL session caching already occurs by default in server mode: “SSL_SESS_CACHE_SERVER
A nice and easy thing to do would be to export the statistics given by http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html# . |
Ok, I propose the following plan:
There is however, one complication (from OpenSSL man pages): """SSL_SESSION objects keep internal link information about the session cache list, when being inserted into one SSL_CTX object's session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object).""" So we would somehow also need to keep a pointer to the SSL context in our session object wrapper, and check that the session isn't reused with another context... (yuck) |
I'm going to implement sessions in bpo-19500. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: