TLS get keys and randoms

[llaniscudani]

BPO	15071
Nosy	@loewis, @pitrou, @tiran

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2012-06-14.20:40:12.382>
labels = ['type-feature', 'library']
title = 'TLS get keys and randoms'
updated_at = <Date 2016-05-06.09:14:56.759>
user = 'https://bugs.python.org/llaniscudani'

bugs.python.org fields:

activity = <Date 2016-05-06.09:14:56.759>
actor = 'christian.heimes'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2012-06-14.20:40:12.382>
creator = 'llaniscudani'
dependencies = []
files = []
hgrepos = []
issue_num = 15071
keywords = []
message_count = 7.0
messages = ['162825', '162826', '162827', '162833', '163085', '163086', '264949']
nosy_count = 5.0
nosy_names = ['loewis', 'pitrou', 'christian.heimes', 'llaniscudani', 'dveeden']
pr_nums = []
priority = 'normal'
resolution = None
stage = 'needs patch'
status = 'languishing'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue15071'
versions = ['Python 3.6']

[llaniscudani]

I am develop a RADIUS server in 3.2 for WiFi authentication, the EAP-TLS or PEAP auths require a TLS tunnel AND get the master key and the client hello and server hello randoms to generate the MSK, the key to encrypt between WiFi user and WiFi access point.

The more necessary is the master key, the randoms is possible extract with "man in the middle"

Please, patch ssl.

[pitrou]

Please elaborate on what you are asking for, and try to make yourself understandable.
Also, a good way to see your enhancement request fulfilled is to contribute it yourself; please take a look at the devguide: http://docs.python.org/devguide/

[loewis]

Daniel: Antoine is absolutely right. About the only way this can happen is if *you* contribute the code. Even if you would make clear what you want (what is a "master key" and the "hello randoms"?), it is likely that still nobody else needs that feature.

So without code from you, it will likely not happen.

[llaniscudani]

ok. i try to do the patch!

[llaniscudani]

This function solve the problem "SSL_tls1_key_exporter"

http://comments.gmane.org/gmane.comp.encryption.openssl.user/42015

included in the development version of OpenSSL 1.0.1 in the CVS

how is the correct way to implement in the python bind?

[pitrou]

Ok, so it seems the functionality is described in http://tools.ietf.org/html/rfc5705. If I understand correctly, it takes an ASCII label string, an optional context bytestring, and the length of the desired derived key. It then returns a bytestring of the given length, shared between client and server.

The low-level implementation of the ssl module is in Modules/_ssl.c. We probably want to add a method to PySSLSocket_Type there. Then in Lib/ssl.py there'll have to be a SSLSocket method to call the former method.

Tests should go in Lib/test/test_ssl.py.

[tiran]

This request is an advanced use case. I'd rather keep the Python _ssl module simple and suggest PyOpenSSL + PyCA/cryptography for advanced features.

[Neustradamus]

To follow this ticket