[Twisted-Python] Fwd: Trouble with session id reuse/disabling with twisted TLS

Henrik Thostrup Jensen thostrup at gmail.com
Wed Apr 30 10:43:09 MDT 2014 

Hi

I have a twisted service, which uses TLS and I seeing some odd behaviour.

New connections are accepted fine, but if a client tries to re-use a
TLS session id with a new connection, the services rejects the
connection.

Poking at the TLS module I added the following line to help me figure
out what was wrong:

@@ -363,11 +365,13 @@
             except ZeroReturnError:
                 # TLS has shut down and no more TLS data will be received over
                 # this connection.
                 self._shutdownTLS()
                 # Passing in None means the user protocol's connnectionLost
                 # will get called with reason from underlying transport:
                 self._tlsShutdownFinished(None)
             except Error as e:
+                log.msg('_flushReceiveBIO Error: %s' % str(e),
system='protocols.TLS')
                 # Something went pretty wrong.  For example, this might be a
                 # handshake failure (because there were no shared
ciphers, because
                 # a certificate failed to verify, etc).  TLS can no
longer proceed.

(I think the above patch would be a nice addition to twisted as
figuring out what goes wrong in the TLS stack is currently quite
difficult).

This gives me the following:

2014-04-30 15:02:08+0200 [protocols.TLS] _flushReceiveBIO Error:
[('SSL routines', 'SSL_GET_PREV_SESSION', 'session id context
uninitialized')]

I am using the same (cached) context for all incoming connections.

Using openssl s_client -connect host:port I can see that the service
returns a session id and master key.

If I disable session cache with:

ctx.set_session_cache_mode(SSL.SESS_CACHE_OFF)

The s_client command still returns session-id and master-key. Which is
rather unexpected.
(I am not using the CertificateOptions class, just SSL.Context)

Code for context creation can be seen here:
https://github.com/NORDUnet/opennsa/blob/master/opennsa/ctxfactory.py
Without the disabling of session id.

Any idea to what I am doing wrong here?

This is with openssl 1.0.1-4ubuntu5.12, pyOpenSSL 14.1 and Twisted 13.1


  regards, Henrik

More information about the Twisted-Python mailing list