-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
General Usage #2
Comments
Hi @ddurham2 |
Thanks for the follow up. Unfortunately, no concurrency here in my little example so far. No idea. Feel free to close this.. or we can keep it open in case one of us finds something. |
I think I found your problem.. fixed it for me... At least when using TLSv1.2 and limited ciphers to PSK on required both side... i.e. Your do_handshake overrides need to not call the setup more than once. do_install(), when async of course, is going to get reinvoked for each of the 3 to 4 legs of the SSL handshake. e.g.
The actual problem is that your _ssl_setup_psk_callbacks() calls _ssl_set_psk_server_callback() which then calls SSL_set_accept_state() which resets the SSL handshake state. Since these do_handshake() overloads are calling _ssl_setup_psk_callbacks() every time, we'll abort the connection on the second time through do_handshake(). BTW- The hasattr() business has to do with the fact that the init() method of those classes don't get called, so you can't initialize the flag to False. I'm still digging to try and make it work for TLSv1.3. Enabling 1.3 gives the ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT error on the client side. |
Just noting, context.set_ciphers("PSK") seems to be required, because without explictly setting the ciphers, PSK ciphers just aren't in the default list advertised in the client hello message. I found that set_ciphers('ALL') on the server and set_ciphers('PSK') on the client works. But if you leave either side as the default configured ciphers, then PSK just doesn't work. So it kinda has to be requested explicitly using either ALL or PSK. |
When using TLS1.3, I receive the ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT I get this error using the synchronous wrap_socket() implementation as well as asyncio. UPDATE: SSLContext.set_ciphers() cannot be used to control 1.3 ciphers. And when I log what context.get_ciphers() (which does include which 1.3 ciphers are enabled), PSK ciphers are not listed. So, until python3 allows calling set_cipher_suites() or something (necessary for 1.3), we're limited to 1.2 with TLS-PSK. |
Thanks again for the excellent head start on this. This may give me enough info to submit a PR for python 3.12+, and eventually eliminate the need for sslpsk2. Let me know if this info helps with your project. |
That is awesome @ddurham2 |
That's correct. It's the server that has the problem with the extra initiations of SSL_set_accept_state() ("accepting" a connection is only a server side concern) Glad to help. |
Hey @ddurham2: I was revisiting this repo and noticed you proposed some very interesting changes here https://github.com/ddurham2/sslpsk2/tree/add-sslcontext However it seems you closed them before those were merged. May I ask, if that was for any particular reason? |
Hey, I came across your post here. I'm also trying to make PSK work generally in python and pskssl2 seems to be the most viable option.
I'm working in the context of asyncio (aiohttp) and so you're post was most helpful.
I believe I have your code working on the aiohttp server side. I can get openssl s_client to have failure/success depending on the chosen PSK, but it isn't helpful to actually make HTTP requests. Unfortunately, curl and wget on the cli don't offer any PSK options.
So I started working with your code on an aiohttp client side to verify. But I'm running into an error
This is an error from openssl itself. Something is getting confused I guess and it's thinking I'm trying to resume a session (which a similar operation but not what I'm doing).
I'm simply supplying your subclass of SSLContext to aiohttp.get() which is generally how to customize the ssl context. This could be a problem with how aiohttp is working. But I was wondering if you've run into a similar error.
Thanks (sorry for not-the-best-means of communicating, but I wasn't sure how else to ask).
I'm trying to get something going in the short term, but once I grok this, I may attempt to submit a upstream patch for general PSK support.
The text was updated successfully, but these errors were encountered: