[Twisted-Python] Fwd: Trouble with session id reuse/disabling with twisted TLS
Henrik Thostrup Jensen
thostrup at gmail.com
Wed Apr 30 10:43:09 MDT 2014
Hi
I have a twisted service, which uses TLS and I seeing some odd behaviour.
New connections are accepted fine, but if a client tries to re-use a
TLS session id with a new connection, the services rejects the
connection.
Poking at the TLS module I added the following line to help me figure
out what was wrong:
@@ -363,11 +365,13 @@
except ZeroReturnError:
# TLS has shut down and no more TLS data will be received over
# this connection.
self._shutdownTLS()
# Passing in None means the user protocol's connnectionLost
# will get called with reason from underlying transport:
self._tlsShutdownFinished(None)
except Error as e:
+ log.msg('_flushReceiveBIO Error: %s' % str(e),
system='protocols.TLS')
# Something went pretty wrong. For example, this might be a
# handshake failure (because there were no shared
ciphers, because
# a certificate failed to verify, etc). TLS can no
longer proceed.
(I think the above patch would be a nice addition to twisted as
figuring out what goes wrong in the TLS stack is currently quite
difficult).
This gives me the following:
2014-04-30 15:02:08+0200 [protocols.TLS] _flushReceiveBIO Error:
[('SSL routines', 'SSL_GET_PREV_SESSION', 'session id context
uninitialized')]
I am using the same (cached) context for all incoming connections.
Using openssl s_client -connect host:port I can see that the service
returns a session id and master key.
If I disable session cache with:
ctx.set_session_cache_mode(SSL.SESS_CACHE_OFF)
The s_client command still returns session-id and master-key. Which is
rather unexpected.
(I am not using the CertificateOptions class, just SSL.Context)
Code for context creation can be seen here:
https://github.com/NORDUnet/opennsa/blob/master/opennsa/ctxfactory.py
Without the disabling of session id.
Any idea to what I am doing wrong here?
This is with openssl 1.0.1-4ubuntu5.12, pyOpenSSL 14.1 and Twisted 13.1
regards, Henrik
More information about the Twisted-Python
mailing list