X Tutup
Skip to content

gh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context#105295

Merged
gpshead merged 2 commits intopython:mainfrom
grantramsay:fix-issue-105293
Jul 14, 2023
Merged

gh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context#105295
gpshead merged 2 commits intopython:mainfrom
grantramsay:fix-issue-105293

Conversation

@grantramsay
Copy link
Contributor

@grantramsay grantramsay commented Jun 4, 2023
edited by bedevere-bot
Loading

@bedevere-bot
Copy link

bedevere-bot commented Jun 4, 2023

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

@bedevere-bot bedevere-bot mentioned this pull request Jun 4, 2023
Closed
@grantramsay
Copy link
Contributor Author

grantramsay commented Jun 4, 2023

For back-compatibility, possibly SSL_CTX_set_session_id_context should also be called in ssl.wrap_socket if server_side and using one of the deprecated ssl.PROTOCOL_* enums. I can make that changes if reviewers think it is necessary

@grantramsay grantramsay mentioned this pull request Jun 4, 2023
Merged
@gpshead
Copy link
Member

gpshead commented Jun 5, 2023

For back-compatibility, possibly SSL_CTX_set_session_id_context should also be called in ssl.wrap_socket if server_side and using one of the deprecated ssl.PROTOCOL_* enums. I can make that changes if reviewers think it is necessary

It sounds like that makes sense. go for it in this PR and we'll take a look.

add some form of news entry once you've done that as well.

@gpshead gpshead self-assigned this Jun 5, 2023
@grantramsay
Copy link
Contributor Author

grantramsay commented Jun 5, 2023
edited
Loading

For back-compatibility, possibly SSL_CTX_set_session_id_context should also be called in ssl.wrap_socket if server_side and using one of the deprecated ssl.PROTOCOL_* enums. I can make that changes if reviewers think it is necessary

It sounds like that makes sense. go for it in this PR and we'll take a look.

add some form of news entry once you've done that as well.

Maybe I should just remove the call to SSL_CTX_set_session_id_context and only call SSL_set_session_id_context on the SSL object? This would avoid doing the same thing in two places

Edit: although doing it at the context level will be slightly cleaner once the deprecated methods are removed...

@grantramsay
pythongh-105293: Do not call SSL_CTX_set_session_id_context on client…
9656330 
… side SSL context

Openssl states this is a "server side only" operation.
Calling this on a client side socket can result in unexpected behavior
@grantramsay
Add news entry on SSL "set session id context" changes
de37021
@gramsay0
Copy link

gramsay0 commented Jul 14, 2023

@gpshead I've updated this to only call SSL_set_session_id_context on the SSL object

@gpshead gpshead added needs backport to 3.12 only security fixes and removed needs backport to 3.12 only security fixes labels Jul 14, 2023
@gpshead gpshead merged commit 21d98be into python:main Jul 14, 2023
kgdiem pushed a commit to kgdiem/cpython that referenced this pull request Jul 14, 2023
@grantramsay @kgdiem
pythongh-105293: Do not call SSL_CTX_set_session_id_context on client…
642cc0e 
… side SSL context (python#105295)

* pythongh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context

Openssl states this is a "server side only" operation.
Calling this on a client side socket can result in unexpected behavior

* Add news entry on SSL "set session id context" changes
@ZeroIntensity ZeroIntensity mentioned this pull request Aug 28, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead gpshead approved these changes

Assignees

@gpshead gpshead

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@grantramsay @bedevere-bot @gpshead @gramsay0
X Tutup