#1275 Add OpenSSL.SSL.Connection.session_reused API. #1276
Conversation
adiroiban
force-pushed
the
1275-ssl-session-reused
branch
from
98d2f64
to
da78001
Compare
adiroiban
force-pushed
the
1275-ssl-session-reused
branch
from
da78001
to
a8705dc
Compare
|
|
||
| - Added ``OpenSSL.SSL.Connection.session_reused()`` to query whether the | ||
| current session was reused during the last handshake. | ||
| [`#1275 <https://github.com/pyca/pyopenssl/issues/1275>`_] |
There was a problem hiding this comment.
Let me know if you want a link to a PR.
I have created the changelong before creating the PR... so at that time, I didn't had a PR ID.
|
|
||
| :returns: int | ||
|
|
||
| .. versionadded:: NEXT |
There was a problem hiding this comment.
Not sure in which version it will be released.
| Retruns `0` when a new session was negotiated. | ||
| Returns `1` when a the session was reused. | ||
|
|
||
| :returns: int |
There was a problem hiding this comment.
I went with upstream API, but maybe is best to return a bool
|
|
||
| assert connection.session_reused() == 0 | ||
|
|
||
| def test_client_set_session_tls1_2(self): |
There was a problem hiding this comment.
I went with both TLS 1.2 and 1.3 tests since the session handling is a big different.
I will refactor the tests to share more code.
| # I have no idea why it works when server-side cache is disabled. | ||
| # I guess that this might be because server and client are in the | ||
| # same process. | ||
| server_ctx.set_session_cache_mode(SSL.SESS_CACHE_OFF) |
There was a problem hiding this comment.
I went with explicit context for server and client.
Somehow for this test for TLS 1.2, it works even when cache is off.
For my end to end test, in which I use 2 separate processes, the server cache needs to be enabled for session reuse.
| assert originalServer.master_key() == resumedServer.master_key() | ||
| assert originalClient.master_key() == resumedClient.master_key() | ||
|
|
||
| def test_client_set_session_tls1_3(self): |
There was a problem hiding this comment.
I have no idea why tls 1.3 fails in this test.
I have it working in a separate manual proof of concept code, in which I have the server with pyOpenSSL and the client is curl.
Scope
Fixes #1275
This add the SSL.Connection API added in pyca/cryptography#9969
Changes
Add the API as int, not at boolean. Maybe it should be boolean.
Add tests for TLS 1.2 and TLS 1.3
In TLS 1.3 the master key is not the same for reused session.
Still WIP