TLS 1.3 Session Resumption with PSKs in pyopenssl?

Question

TLS 1.3 Session Resumption with PSKs in pyopenssl?

dennisn00 opened this issue 10 months ago · 1 comments

I am trying to build mTLS client and server with pyopenssl and measure timing for the handshake to compare to some alternative approach.
I want to test performance for the handshake with and without Session Resumption. In TLS 1.3, the server may send a New Session Ticket Message containing a PSK Identity that the Client can use on subsequent connections to resume the session.
It seems like some necessary Bindings were added to cryptography here but I couldn't find any relating functions in pyopenssl.
Is there a way to use Session Resumption with PSKs in pyopenssl or is there any plans to implement this feature?

Answer 1 · 2024-02-15T12:08:00.000Z

I figured out that this is indeed possible with pyOpenSSL, with the standard mechanism described below. I assume OpenSSL is handling the details of the implementation internally.
On the server side, I used

 context.set_session_cache_mode(SSL.SESS_CACHE_SERVER)
 context.set_session_id(b"test")

and on the client side

context.set_session_cache_mode(SSL.SESS_CACHE_CLIENT)
session = None
...
ssl_connection.connect(endpoint)
if session:
    ssl_connection.set_session(session)
ssl_connection.do_handshake()
data = ssl_connection.recv(1)
if data:
    session = ssl_connection.get_session()

My problem was that previously, I saved the session right after the handshake before receiving any data.
This meant that no Session Ticket was received yet and thus the session could not be reused.
The New Session Ticket Message is sent before the first application data, so when the first byte of data arrives I can store the session for reuse.