Thanks to visit codestin.com
Credit goes to github.com

Skip to content

gh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context #105295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 14, 2023
Merged

gh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context #105295

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9656330
gh-105293: Do not call SSL_CTX_set_session_id_context on client side …
grantramsay Jul 14, 2023
de37021
Add news entry on SSL "set session id context" changes
grantramsay Jul 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2023-07-14-14-53-58.gh-issue-105293.kimf_i.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Remove call to ``SSL_CTX_set_session_id_context`` during client side context
creation in the :mod:`ssl` module.
14 changes: 9 additions & 5 deletions Modules/_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -847,6 +847,15 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
return NULL;
}

if (socket_type == PY_SSL_SERVER) {
#define SID_CTX "Python"
/* Set the session id context (server-side only) */
SSL_set_session_id_context(self->ssl, (const unsigned char *) SID_CTX,
sizeof(SID_CTX));
#undef SID_CTX
}

/* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION < 0x101010cf
X509_VERIFY_PARAM *ssl_params = SSL_get0_param(self->ssl);
Expand Down Expand Up @@ -3186,11 +3195,6 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
usage for no cost at all. */
SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);

#define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
sizeof(SID_CTX));
#undef SID_CTX

params = SSL_CTX_get0_param(self->ctx);
/* Improve trust chain building when cross-signed intermediate
certificates are present. See https://bugs.python.org/issue23476. */
Expand Down