You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is true that failing to set this value will effectively disable sessions when client certificates are in use, but that is a bit of an edge case.
The language in the OpenSSL documentation strongly implies that this value should be a stable identifier; specifically "e.g. the name of the application and/or the hostname and/or service name". However, we are instead setting a random identifier.
The attempt to use the full size of SSL_MAX_SSL_SESSION_ID_LENGTH is also a bit silly / pointless. (NB: this data does not in fact go into the session ID, that just happens to be a common limit on both the session ID and this weird value.)
(The docs here also sort of imply that this has something to do with servers, but doesn't clearly stipulate that it is meaningless on client contexts.)
To properly enable (or disable) TLS sessions, in a way that would work across more than a single TLS-terminating node in a cluster, one needs to use the various session storage callbacks which are not yet even exposed by pyOpenSSL.
However, pyOpenSSL does offer us Context.set_session_cache_mode, which could at least be used to honor the "disable" part of this flag's documentation.
I've included a workaround (and some hypothetical mitigations) for #9764 as well since we are probably not going to be able to fully diagnose that on our own, unfortunately.
#!CommitTicketReference repository="" revision="eb3248b197f2bd2d4091a73bbaf93174d8da19b5"
Merge pull request #1224 from twisted/9583-session-silliness
Author: glyph
Reviewer: twm
Fixes: ticket:9583
Make the `enableSessions` argument to CertificateOptions actually enable and disable session support in TLS.
The documentation explains this field thusly:
However, that is not at all what the implementation of this flag does.
This is a propagation of the unfortunately-named and also-incorrectly-documented OpenSSL.SSL.Context.set_session_id, which is in fact a weird cache-control tuning gizmo in OpenSSL.
set_session_id
is an incorrect transcription of the name of the actual function being wrapped, SSL_CTX_set_session_id_context.It is true that failing to set this value will effectively disable sessions when client certificates are in use, but that is a bit of an edge case.
The language in the OpenSSL documentation strongly implies that this value should be a stable identifier; specifically "e.g. the name of the application and/or the hostname and/or service name". However, we are instead setting a random identifier.
The attempt to use the full size of SSL_MAX_SSL_SESSION_ID_LENGTH is also a bit silly / pointless. (NB: this data does not in fact go into the session ID, that just happens to be a common limit on both the session ID and this weird value.)
(The docs here also sort of imply that this has something to do with servers, but doesn't clearly stipulate that it is meaningless on client contexts.)
To properly enable (or disable) TLS sessions, in a way that would work across more than a single TLS-terminating node in a cluster, one needs to use the various session storage callbacks which are not yet even exposed by pyOpenSSL.
However, pyOpenSSL does offer us Context.set_session_cache_mode, which could at least be used to honor the "disable" part of this flag's documentation.
Searchable metadata
The text was updated successfully, but these errors were encountered: