]> git.ipfire.org Git - thirdparty/Python/cpython.git/commitdiff
projects / thirdparty / Python / cpython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 490295d)
gh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context...
authorGrant Ramsay <grant.ramsay@hotmail.com>
Fri, 14 Jul 2023 07:10:54 +0000 (19:10 +1200)
committerGitHub <noreply@github.com>
Fri, 14 Jul 2023 07:10:54 +0000 (00:10 -0700)
* gh-105293: Do not call SSL_CTX_set_session_id_context on client side SSL context

Openssl states this is a "server side only" operation.
Calling this on a client side socket can result in unexpected behavior

* Add news entry on SSL "set session id context" changes

Misc/NEWS.d/next/Library/2023-07-14-14-53-58.gh-issue-105293.kimf_i.rst [new file with mode: 0644] patch | blob
Modules/_ssl.c patch | blob | blame | history

diff --git a/Misc/NEWS.d/next/Library/2023-07-14-14-53-58.gh-issue-105293.kimf_i.rst b/Misc/NEWS.d/next/Library/2023-07-14-14-53-58.gh-issue-105293.kimf_i.rst
new file mode 100644 (file)
index 0000000..c263c85
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2023-07-14-14-53-58.gh-issue-105293.kimf_i.rst
@@ -0,0 +1,2 @@
+Remove call to ``SSL_CTX_set_session_id_context`` during client side context
+creation in the :mod:`ssl` module.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index df1496925f678e5cd4d139d050185c88f89447b1..571de331e92cd9b8f28348b303823f6d858a45d2 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -847,6 +847,15 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
         _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
         return NULL;
     }
+
+    if (socket_type == PY_SSL_SERVER) {
+#define SID_CTX "Python"
+        /* Set the session id context (server-side only) */
+        SSL_set_session_id_context(self->ssl, (const unsigned char *) SID_CTX,
+                                   sizeof(SID_CTX));
+#undef SID_CTX
+    }
+
     /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
 #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION < 0x101010cf
     X509_VERIFY_PARAM *ssl_params = SSL_get0_param(self->ssl);
@@ -3186,11 +3195,6 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
        usage for no cost at all. */
     SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
 
-#define SID_CTX "Python"
-    SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
-                                   sizeof(SID_CTX));
-#undef SID_CTX
-
     params = SSL_CTX_get0_param(self->ctx);
     /* Improve trust chain building when cross-signed intermediate
        certificates are present. See https://bugs.python.org/issue23476. */
Mirror of https://github.com/python/cpython.git