-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is there a way to get the session_id from the pyopenssl #1244
Comments
any luck? |
I am also looking into this in order to implement the security check for an FTPS data connection. For the OpenSSL API I found SSL_SESSION_get_id I can see that pypopenssl access is done via And I can see that I am not very familiar with cffi ... so I am not sure how this is exposed. Hope it helps |
We no longer bind
|
I can give it a try. I tried to read the I don't realy need the actual session ID value. There is this function I guess that if 2 connections have the same peer certificate and the same encryption key, they might also share the same session. But for the future, I think is best for FTPS applications to use the session_id() rather than handle the encryption key... and accidentlly leaking in some logs. |
I have continue working on this. On client-side for TLS 1.2 it looks like Now, the actual session ID is still usefull on the client side to validate wheter the sessions was resumed for not. The client can set a session ID, but the server can decide not to reuse it. For TLS 1.3 it looks like we also need SSL_CTX_sess_set_new_cb From SSL_get1_session docs
For session resumption, there is also the SSL_SESSION_is_resumable I guess we should start by looking into the API required to implement session resumption for server-side and client-side on pyopenssl for TLS 1.2 and TLS 1.3 For the client side with TLS 1.3, Setting the cache to I will do more testing and more code and docs reading :) |
It looks like I think that the critical API that should be available in cryptography and pyOpenSSL is SSL_session_reused I started a ticket here pyca/cryptography#9969 I still need to do more reading about |
Cryptography PR at pyca/cryptography#9978 It doesn't add SSL_SESSION_get_id It adds SSL_session_reused which can be used to check if the previously set session was reused. We can also have SSL_SESSION_get_id exposes, but I think that it would help to know the use case for this API. When a session is resued, the client-side will have the same ID...but the server side has different ID, even when reused. |
I'm just curious to know, is this behaviour the same as earlier? |
Hi
This is only on TLS 1.3 You can try with In my tests, on TLS 1.3 I am trying to get I have create a PR for SSL_session_reused here, but I'm not sure how to write the automated tests. All ok for TLS 1.2 but for TLS 1.3 the automated tests are failing. I did some manual tests with curl and it looked fine. If you have time, maybe you can give it a try. For which protocol do you need For HTTPS you might not need it on TLS1.3 - https://timtaubert.de/blog/2017/02/the-future-of-session-resumption/ I need this API to implement an FTPS server and client. |
I see there is a method for set_session_id , but could not find get_session_id. I could not find the way to get the session Id. I also found set_session and get_session , but could not find the get_session_id.
Could anyone help on this , how to fix this issue
The text was updated successfully, but these errors were encountered: