Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL session management #52353

Closed
jcea opened this issue Mar 10, 2010 · 5 comments
Closed

SSL session management #52353

jcea opened this issue Mar 10, 2010 · 5 comments
Labels
extension-modules C modules in the Modules dir type-feature A feature request or enhancement

Comments

@jcea
Copy link
Member

jcea commented Mar 10, 2010

BPO 8106
Nosy @jcea, @pitrou, @giampaolo, @tiran, @lilydjwg, @dstufft
Dependencies
  • bpo-8550: Expose SSL contexts
    		•
    Superseder
  • bpo-19500: ftplib: Add client-side SSL session resumption
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2016-09-08.15:28:50.735>
created_at = <Date 2010-03-10.01:20:51.223>
labels = ['extension-modules', 'type-feature']
title = 'SSL session management'
updated_at = <Date 2016-09-08.15:28:50.733>
user = 'https://github.com/jcea'

    bugs.python.org fields:

    activity = <Date 2016-09-08.15:28:50.733>
actor = 'christian.heimes'
assignee = 'none'
closed = True
closed_date = <Date 2016-09-08.15:28:50.735>
closer = 'christian.heimes'
components = ['Extension Modules']
creation = <Date 2010-03-10.01:20:51.223>
creator = 'jcea'
dependencies = ['8550']
files = []
hgrepos = []
issue_num = 8106
keywords = []
message_count = 5.0
messages = ['100777', '104368', '118438', '216685', '275049']
nosy_count = 10.0
nosy_names = ['jcea', 'janssen', 'pitrou', 'giampaolo.rodola', 'christian.heimes', 'lilydjwg', 'dstufft', 'fweimer', 'WadeC', 'mladen.milosevic']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = 'needs patch'
status = 'closed'
superseder = '19500'
type = 'enhancement'
url = 'https://bugs.python.org/issue8106'
versions = ['Python 3.6']
    @jcea
    Copy link
    Member Author

    jcea commented Mar 10, 2010

    Current SSL module doesn't manage SSL sessions, so any connection must do the full SSL handshake.

    SSL/TLS support session restarting, when an old SSL context is used in a new connection, so you don't need to do the full SSL handshake.

    This is a huge performance improvement.

    I think SSL module should keep a small pool of sessions in core, to reuse. Better yet:

    a) In SSL sockets, a method should be added to get the SSL context.

    b) When creating a SSL socket, in client mode, a new optional parameter should be accepted, for a SSL context.

    c) When creating a SSL socket, in server mode, we have two options: a) provide a dictionary or similar, with different contexts for possible clients connections or, better b) provide a callback the SSL module will call when getting an incoming connection, with a session ID as a parameter. The callback can provide a session SSL state or "None". This second approach allow for session management, like expiration or persistence to disk.

    (the second option is equivalent to the first if the dict-like object includes this logic inside)

    What do you think?.

    @jcea jcea added extension-modules C modules in the Modules dir type-feature A feature request or enhancement labels Mar 10, 2010
    @pitrou
    Copy link
    Member

    pitrou commented Apr 27, 2010

    bpo-8550 is probably a prerequisite for implementing this properly.

    @pitrou
    Copy link
    Member

    pitrou commented Oct 12, 2010

    http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html suggests that SSL session caching already occurs by default in server mode:

    “SSL_SESS_CACHE_SERVER

    Server sessions are added to the session cache. When a client proposes a session to be reused, the server looks for the corresponding session in (first) the internal session cache (unless SSL_SESS_CACHE_NO_INTERNAL_LOOKUP is set), then (second) in the external cache if available. If the session is found, the server will try to reuse the session. This is the default.”

    A nice and easy thing to do would be to export the statistics given by http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html# .

    @pitrou
    Copy link
    Member

    pitrou commented Apr 17, 2014

    Ok, I propose the following plan:

    • add a new opaque type allowing to wrap a SSL_SESSION
    • add a get_session() method to SSLSocket, returning the current session
    • add an optional "session=..." parameter to SSLContext.wrap_socket, allowing to specify a session which we hope to reuse during the handshake

    There is however, one complication (from OpenSSL man pages):

    """SSL_SESSION objects keep internal link information about the session cache list, when being inserted into one SSL_CTX object's session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object)."""

    So we would somehow also need to keep a pointer to the SSL context in our session object wrapper, and check that the session isn't reused with another context... (yuck)

    @tiran
    Copy link
    Member

    tiran commented Sep 8, 2016

    I'm going to implement sessions in bpo-19500.

    @tiran tiran closed this as completed Sep 8, 2016
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    extension-modules C modules in the Modules dir type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @tiran @jcea @pitrou