Description
When initialising an SSLContext there is a call to SSL_CTX_set_session_id_context()
:
#define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
sizeof(SID_CTX));
#undef SID_CTX
The openssl man pages state that SSL_CTX_set_session_id_context
is a "server side only" operation:
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_session_id_context.html
SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only)
The session id context becomes part of the session. The session id context is set by the SSL/TLS server. The SSL_CTX_set_session_id_context() and SSL_set_session_id_context() functions are therefore only useful on the server side.
In some circumstances, calling this on a client side socket can result in unexpected behavior. For example TLSv1.3 PSK: #103181 (comment)
The fix for this was originally part of another PR (#103181) @gpshead recommended creating a separate issue/PR
Activity
pythongh-105293: Do not call SSL_CTX_set_session_id_context on client…
pythongh-105293: Do not call SSL_CTX_set_session_id_context on client…
gh-105293: Do not call SSL_CTX_set_session_id_context on client side …
gpshead commentedon Jul 14, 2023
While we could backport this to releases, unless it's actually causing a problem there (the issue has existed forever it seems) lets not bother. It seems most important for your new feature PR.
pythongh-105293: Do not call SSL_CTX_set_session_id_context on client…