pyOpenSSL

pyOpenSSL should expose OpenSSL session APIs

Bug #808879 reported by Jean-Paul Calderone on 2011-07-11

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	pyOpenSSL	Confirmed	Undecided	Jean-Paul Calderone

Bug Description

Hello,

I have seen SSL_CTX_set_session_cache_mode doesn't have a corresponding method in pyOpenSSL, so OpenSSL will cache the sessions ID as server. Are there any plans to add this? Or another way of making OpenSSL to cache the session id as client?

Regards.

Related branches

lp:~exarkun/pyopenssl/sessions

lp:~exarkun/pyopenssl/session-object (Merged)

Jean-Paul Calderone (exarkun) on 2011-07-11

Changed in pyopenssl:
status:	New → Confirmed

Revision history for this message

Alejandro Álvarez Ayllón (aalvarez) wrote on 2011-07-12:

pyopenssl.patch Edit (26.4 KiB, text/plain)

Hello,

I have implemented some of the API related to SSL sessions. I submit here a patch to see if it would match the style and requirements (this is the first time I code a Python module in C)

Regards.

Revision history for this message

Alejandro Álvarez Ayllón (aalvarez) wrote on 2011-07-12:

ssl_test.py Edit (1.7 KiB, text/x-python)

Also, I attach a simple code to test the session reuse. The output is something like:

First connection
Second connection
Session reused!
Third connection
Session reused!
Fourth connection
Session reused!
Fifth connection
Session reused!

Session time: 2011-07-12 17:26:43
Session timeout: 3000
Negotiations: 5
Successful: 5
Hits: 4

Cheers.

Revision history for this message

Jean-Paul Calderone (exarkun) wrote on 2011-09-09:

Thanks. This looks pretty cool. I checked the patch into a bzr branch and linked it to this ticket. I also made a few minor changes:

  * pyOpenSSL uses unit tests to ensure things are working properly. All code and functionality needs to be exercised by at least one unit test which verifies that it is working properly. ssl_test.py is a good example showing how to use the client part of this functionality, but for real test coverage this will need a lot of unit tests. There are a lot of good examples of these in OpenSSL/test/
  * As far as style goes, I'm not very concerned about it - plus it's easy for me to fix, and not bother you with. But if you care, then stick to 4 space indents, keep lines under 80 columns, avoid trailing whitespace, always use braces around a block, and cuddle opening braces ("if (foo) {"). I fixed some of this already in the branch.
  * For error handling of OpenSSL APIs, there is an error stack. If an OpenSSL call fails, then it's probably not correct to just set a ValueError and return; instead, you need to set the error from the error stack. If you're in the OpenSSL.SSL module, as all this code is I think, then the way to do this is with `exception_from_error_queue(ssl_Error);` and then return (don't forget the return! A few places in the code in the patch set and error and then continue on as if nothing bad happened). Error cases need unit tests as well.
  * The PyCObject stuff is deprecated in new version of Python, so I'm not maintaining it in pyOpenSSL anymore. I think you can drop the changes to `ssl_API`.
  * If you want, you can also update doc/pyOpenSSL.tex
  * I don't think ssl_Session_Type needs to be a GC type. It can't reference any other Python objects, so it shouldn't be able to be part of any cycles.

You should be able to make a branch of lp:~exarkun/pyopenssl/sessions, commit your changes, and push it back to launchpad. I'm looking forward to the next version. Thanks again!