Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context #105295

Merged
merged 2 commits into from Jul 14, 2023
Merged

gh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context #105295

merged 2 commits into from Jul 14, 2023
+11 −5

Conversation

grantramsay
Copy link
Contributor

@grantramsay grantramsay commented Jun 4, 2023
edited by bedevere-bot

@bedevere-bot
Copy link

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

@bedevere-bot bedevere-bot mentioned this pull request Jun 4, 2023
Closed
@grantramsay
Copy link
Contributor Author

For back-compatibility, possibly SSL_CTX_set_session_id_context should also be called in ssl.wrap_socket if server_side and using one of the deprecated ssl.PROTOCOL_* enums. I can make that changes if reviewers think it is necessary

@grantramsay grantramsay mentioned this pull request Jun 4, 2023
Merged
@gpshead
Copy link
Member

gpshead commented Jun 5, 2023

For back-compatibility, possibly SSL_CTX_set_session_id_context should also be called in ssl.wrap_socket if server_side and using one of the deprecated ssl.PROTOCOL_* enums. I can make that changes if reviewers think it is necessary

It sounds like that makes sense. go for it in this PR and we'll take a look.

add some form of news entry once you've done that as well.

@gpshead gpshead self-assigned this Jun 5, 2023
@grantramsay
Copy link
Contributor Author

grantramsay commented Jun 5, 2023
edited

For back-compatibility, possibly SSL_CTX_set_session_id_context should also be called in ssl.wrap_socket if server_side and using one of the deprecated ssl.PROTOCOL_* enums. I can make that changes if reviewers think it is necessary

It sounds like that makes sense. go for it in this PR and we'll take a look.

add some form of news entry once you've done that as well.

Maybe I should just remove the call to SSL_CTX_set_session_id_context and only call SSL_set_session_id_context on the SSL object? This would avoid doing the same thing in two places

Edit: although doing it at the context level will be slightly cleaner once the deprecated methods are removed...

@grantramsay
pythongh-105293: Do not call SSL_CTX_set_session_id_context on client…
9656330 
… side SSL context

Openssl states this is a "server side only" operation.
Calling this on a client side socket can result in unexpected behavior
@grantramsay
Add news entry on SSL "set session id context" changes
de37021
@gramsay0
Copy link

@gpshead I've updated this to only call SSL_set_session_id_context on the SSL object

@gpshead gpshead added needs backport to 3.12 bug and security fixes and removed needs backport to 3.12 bug and security fixes labels Jul 14, 2023
@gpshead gpshead merged commit 21d98be into python:main Jul 14, 2023
26 checks passed
kgdiem pushed a commit to kgdiem/cpython that referenced this pull request Jul 14, 2023
@grantramsay @kgdiem
pythongh-105293: Do not call SSL_CTX_set_session_id_context on client…
642cc0e 
… side SSL context (python#105295)

* pythongh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context

Openssl states this is a "server side only" operation.
Calling this on a client side socket can result in unexpected behavior

* Add news entry on SSL "set session id context" changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

Assignees

@gpshead gpshead

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@grantramsay @bedevere-bot @gpshead @gramsay0