-
-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for the NPN extension to TLS/SSL #58412
Comments
Recent versions of OpenSSL (1.0.1 and greater) support a new extension to SSL/TLS called Next Protocol Negotiation, defined here: http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-02. The extension allows servers and clients to advertise which protocols they support (for example, both HTTP and SPDY) and then agree on one during the handshake according to a simple algorithm. This patch to 2.7 adds support for the NPN extension via another parameter to ssl.wrap_socket, called 'npn_protocols', and by using the OpenSSL API. It should fail gracefully if the linked version of OpenSSL has no support for NPN, using a macro guard. Once the handshake is completed, SSLSocket.selected_protocol() returns whatever was agreed upon. Although I included client/server tests with the patch, testing this functionality in real-life situations proved difficult. Google chrome has SPDY and NPN functionality baked in, so I wrote a simple socket server that advertises SPDY/2 in addition to HTTP/1.1. Chrome, pointed at this server, correctly completed the handshake and started merrily sending SPDY control frames. |
There is zero chance that this can go into 2.7. So if you want to see it included, please port it to Python 3, and it may become part of Python 3.3 or 3.4. |
If I ported it to 3.3 or 3.4, would it then be backported to 2.7? Or is there zero chance of that either? If so, why? I apologize, I'm new to the process. |
It won't be backported. Python 2.7 is in bug-fix mode; no new features If this means that you'll lose interest in this issue - that's fine. |
Hello Marc,
Apparently this is an IETF draft. Do you know if it is stabilized enough that it won't change significantly? Also, please notice that the ssl module (starting from Python 3.2) now exposes the notion of an SSL context. The setting of NPN parameters should probably be exposed as a context method and/or a parameter to SSLContext.wrap_socket(). |
Re the IETF draft: I'm not sure. However, I didn't actually have to implement the specification at all - that was all handled by OpenSSL. My patch just calls the appropriate SSL_CTX_* methods. Thanks for the tip. I'm still interested in this getting included, so I'll work on porting it over. |
Here's an updated patch against 3.3. |
Oops, I had my vim configured wrong and left a few tab characters in there. Here's another updated patch =) |
Here's the OpenSSL code I referenced for my implementation. It's an excerpt of ssl/lib_ssl.c, starting at line 1514. |
Updated patch. |
More updates to the patch. |
Sorry for the delay. I've run the tests (with OpenSSL 1.0.1-beta3) in debug mode and got an error: ====================================================================== Traceback (most recent call last):
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1882, in test_npn_ext
chatty=True, connectionchatty=True)
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1210, in server_params_test
s.connect((HOST, server.port))
File "/home/antoine/cpython/default/Lib/ssl.py", line 543, in connect
self._real_connect(addr, False)
File "/home/antoine/cpython/default/Lib/ssl.py", line 533, in _real_connect
self.do_handshake()
File "/home/antoine/cpython/default/Lib/ssl.py", line 513, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:434: error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext I've determined that this is because of the use of strlen() on a non-zero terminated string. I'll try to come up with an updated patch. |
Here is a fixed patch. It also came to me that "selected_protocol" could be ambiguous, so I renamed it to "selected_npn_protocol". |
New changeset 2514a4e2b3ce by Antoine Pitrou in branch 'default': |
Closing since the buildbots don't seem to show any new failures after the commit. Thank you for your contribution! |
Just noticed this is missing from "What's new in Python 3.3": http://docs.python.org/dev/whatsnew/3.3.html. Should I submit a patch for that? |
No need for that, the What's New document usually gets filled later in the release cycle. |
Ah ok, just curious. Thanks! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: