[issue19500] Add client-side SSL session resumption

Rob Reilink added the comment: With this code in place, ftplib should / could also be updated to support session resumption. This would fix bugs with connections to FTP servers that require session resumption [1], [2] In ftplib.FTP_TLS.ntransfercmd, just add a reference to the current session

[issue19500] Add client-side SSL session resumption

Changes by Christian Heimes : -- components: +SSL ___ Python tracker ___ ___

[issue19500] Add client-side SSL session resumption

Christian Heimes added the comment: I have committed the feature with rudimentary documentation. I will provide more documentation and an example before 3.6.0b2. -- assignee: -> christian.heimes components: +Documentation priority: normal -> high

[issue19500] Add client-side SSL session resumption

Roundup Robot added the comment: New changeset 6f2644738876 by Christian Heimes in branch 'default': Issue #19500: Add client-side SSL session resumption to the ssl module. https://hg.python.org/cpython/rev/6f2644738876 -- nosy: +python-dev ___

[issue19500] Add client-side SSL session resumption

Changes by Alex Warhawk : -- nosy: -Alex Warhawk ___ Python tracker ___ ___

[issue19500] Add client-side SSL session resumption

Changes by Stephen Ash : -- nosy: +Stephen Ash ___ Python tracker ___ ___

[issue19500] Add client-side SSL session resumption

Christian Heimes added the comment: This patch implements a workaround for OpenSSL 1.1.0. -- Added file: http://bugs.python.org/file44480/SSL-client-side-SSL-session-resumption.patch ___ Python tracker

[issue19500] Add client-side SSL session resumption

Christian Heimes added the comment: Session resumption is currently broken in OpenSSL 1.1.0, https://github.com/openssl/openssl/issues/1550 -- ___ Python tracker

[issue19500] Add client-side SSL session resumption

Changes by Christian Heimes : Added file: http://bugs.python.org/file44376/SSLSession-support-2.patch ___ Python tracker ___

[issue19500] Add client-side SSL session resumption

Christian Heimes added the comment: Note to future me: Don't forget to take care of X.509 client authentication. A server is allowed to bypass client cert validation when a SSL session is resumed. SSLContext.load_cert_chain() should invalidate session caches. (CVE-2016-5419

[issue19500] Add client-side SSL session resumption

Christian Heimes added the comment: Xiang, good point! I have added richcompare to SSLSession (based on session id). My branch on github implements a couple more fixes and improvements. -- ___ Python tracker

[issue19500] Add client-side SSL session resumption

Xiang Zhang added the comment: Patch LGTM. But one thing is that every time it returns a new instance of SSL.Session. That means ssl_sock.session == ssl_sock.session will always return False right now. Is it useful to make it comparable? -- nosy: +xiang.zhang

[issue19500] Add client-side SSL session resumption

Christian Heimes added the comment: Performance improvements with session resumption is quite noticeable. I see between 17 and 21% improvement for 10 requests GET http://pypi.python.org/pypi in a simple benchmark: session resumption: 1.264sec no session: 1.535sec

[issue19500] Add client-side SSL session resumption

Changes by Christian Heimes : -- nosy: +alex stage: -> patch review title: Error when connecting to FTPS servers not supporting SSL session resuming -> Add client-side SSL session resumption type: behavior -> enhancement ___