Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No way to use TLS-PSK from python ssl #63284

Closed
karlp mannequin opened this issue Sep 24, 2013 · 13 comments
Closed

No way to use TLS-PSK from python ssl #63284

karlp mannequin opened this issue Sep 24, 2013 · 13 comments
Assignees
@gpshead
Labels
3.13 bugs and security fixes stdlib Python modules in the Lib dir topic-SSL type-feature A feature request or enhancement

Comments

@karlp
Copy link
Mannequin

karlp mannequin commented Sep 24, 2013
edited by bedevere-bot
Loading

BPO 19084
Nosy @warsaw, @jcea, @pitrou, @giampaolo, @tiran, @chrysn
Files
  • 5bcfpEKD.txt: implementation of TLS-PSK from Mosquitto
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2017-09-06.14:53:17.746>
created_at = <Date 2013-09-24.15:32:28.932>
labels = ['3.7', 'expert-SSL', 'type-feature', 'library']
title = 'No way to use TLS-PSK from python ssl'
updated_at = <Date 2017-09-06.14:53:17.746>
user = 'https://bugs.python.org/karlp'

    bugs.python.org fields:

    activity = <Date 2017-09-06.14:53:17.746>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2017-09-06.14:53:17.746>
closer = 'christian.heimes'
components = ['Library (Lib)', 'SSL']
creation = <Date 2013-09-24.15:32:28.932>
creator = 'karlp'
dependencies = []
files = ['31859']
hgrepos = []
issue_num = 19084
keywords = []
message_count = 5.0
messages = ['198362', '198364', '198365', '198378', '301475']
nosy_count = 11.0
nosy_names = ['barry', 'jcea', 'janssen', 'pitrou', 'giampaolo.rodola', 'christian.heimes', 'chrysn', 'karlp', 'ralight', 'njouanin', 'luizdepra']
pr_nums = []
priority = 'normal'
resolution = 'out of date'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue19084'
versions = ['Python 3.7']

    Linked PRs
    @karlp
    Copy link
    Mannequin Author

    karlp mannequin commented Sep 24, 2013

    OpenSSL supports TLS-PSK which some people (myself obviously) find to be substantially easier to use than setting up certs.

    However, there's no way to use PSK via the current SSL api in python. It would be very nice to be able to use PSK from python.

    For OpenSSL, even the C API is particularly easy. Attached is the implementation used in Mosquitto, a MQTT message broker that supports both cert based and PSK based TLS.

    @karlp karlp mannequin added type-bug An unexpected behavior, bug, or error stdlib Python modules in the Lib dir labels Sep 24, 2013
    @jcea
    Copy link
    Member

    jcea commented Sep 24, 2013

    Python 2.7 is open only for bugfixes. No new features.

    Do you dare to write a patch for Python 3.4? :-). If you do, remember to sign a Contributor Agreement.

    Give it a try! :)

    @pitrou
    Copy link
    Member

    pitrou commented Sep 24, 2013

    Is it different from TLS SRP, which already has a feature request in bpo-11943?
    As Jesus said, feel free to propose a patch, even a proof of concept so that we start discussing the API.

    @pitrou pitrou added type-feature A feature request or enhancement and removed type-bug An unexpected behavior, bug, or error labels Sep 24, 2013
    @ralight
    Copy link
    Mannequin

    ralight mannequin commented Sep 25, 2013

    This is not TLS-SRP, but TLS-PSK as described by RFC 4279[1]

    There is a very small amount of overlap - the "unknown_psk_identity" error defined by PSK is also used in SRP.

    [1] http://tools.ietf.org/html/rfc4279

    Copy link
    Member

    This feature request has been idle for almost four years. Although TLS-PSK is nice to have, it is not a priority for protocols such as HTTPS. I neither have time nor motivation to create a patch myself. Therefore I'm closing this issue of lack of activity. Please feel free to re-open it with a patch against 3.7.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    This was referenced Aug 29, 2022
    Open
    Open
    grantramsay added a commit to grantramsay/cpython that referenced this issue Apr 2, 2023
    @grantramsay
    pythongh-63284: Add support for TLS-PSK (pre-shared key) to the ssl m…
    d33eccc 
    …odule
    @grantramsay grantramsay mentioned this issue Apr 2, 2023
    Merged
    @arhadthedev
    Copy link
    Member

    This feature request has been idle for almost four years

    A PR is proposed so reopening.

    @arhadthedev arhadthedev reopened this Apr 2, 2023
    grantramsay added a commit to grantramsay/cpython that referenced this issue Apr 2, 2023
    @grantramsay
    pythongh-63284: Add support for TLS-PSK (pre-shared key) to the ssl m…
    7fab649 
    …odule
    grantramsay added a commit to grantramsay/cpython that referenced this issue Apr 3, 2023
    @grantramsay
    pythongh-63284: Add support for TLS-PSK (pre-shared key) to the ssl m…
    79f9d24 
    …odule
    grantramsay added a commit to grantramsay/cpython that referenced this issue Apr 3, 2023
    @grantramsay
    pythongh-63284: Add support for TLS-PSK (pre-shared key) to the ssl m…
    9d0f6dc 
    …odule
    @grantramsay
    Copy link
    Contributor

    Hey, is anyone available to review the proposed PR?

    @arhadthedev arhadthedev added 3.13 bugs and security fixes and removed 3.7 (EOL) end of life labels May 14, 2023
    @gpshead gpshead self-assigned this May 30, 2023
    @gpshead
    Copy link
    Member

    gpshead commented May 30, 2023

    I can handle the PR review. I'm not really convinced that this feature is worth having - the original bug filer's excuse was a poor one about not wanting to deal with certificates. letsencrypt has become commonplace not to make that easy.

    But so long as ssl exists and is basically a wrapper around things OpenSSL provides, there is no harm in offering the APIs. I'd expect anyone doing a security review of a system design to raise their eyebrows at PSK TLS use...

    @gramsay0
    Copy link

    gramsay0 commented May 31, 2023
    edited
    Loading

    @gpshead thanks for the review!
    I will update the PR soon when I get a chance.

    Yes, I agree with both sides of that argument.

    A more common/standard use of TLS-PSK is resuming TLS sessions that were originally created by asymmetric encryption. Although possibly the TLSv1.3 PSK APIs (that I did not implement) are better suited to that.

    Other use cases:

    @michallowasrzechonek-silvair
    Copy link

    I can handle the PR review. I'm not really convinced that this feature is worth having - the original bug filer's excuse was a poor one about not wanting to deal with certificates. letsencrypt has become commonplace not to make that easy.

    There are situations where certificates cannot be used - in IoT it's common that the embedded device has neither RTC (to check validity) nor HTTP (to check revocation lists), and in most cases limited computing power.

    @tuxmaster5000
    Copy link

    An other use case will be the backup software bareos/bacula, which makes heavy usage of TLS-PSK.

    @doronz88
    Copy link

    I also need this feature for pymobiledevice3. On very recent updates, Apple started using TLS-PSK to communicate with the device. I believe more and more people will start having problems as a result.

    gpshead added a commit that referenced this issue Nov 27, 2023
    @grantramsay @arhadthedev @gpshead
    gh-63284: Add support for TLS-PSK (pre-shared key) to the ssl module (#…
    e954ac7 
    …103181)

Add support for TLS-PSK (pre-shared key) to the ssl module.

---------

Co-authored-by: Oleg Iarygin <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
    @gpshead
    Copy link
    Member

    gpshead commented Nov 27, 2023

    Thanks for the contribution!

    @gpshead gpshead closed this as completed Nov 27, 2023
    samkhaningur added a commit to samkhaningur/cpython that referenced this issue Nov 27, 2023
    @samkhaningur
    Merge pull request #1 from python/main
    77ab200 
    pythongh-63284: Add support for TLS-PSK (pre-shared key) to the ssl module …
    aisk pushed a commit to aisk/cpython that referenced this issue Feb 11, 2024
    @grantramsay @arhadthedev
    @gpshead @aisk
    pythongh-63284: Add support for TLS-PSK (pre-shared key) to the ssl m…
    4c85759 
    …odule (python#103181)

Add support for TLS-PSK (pre-shared key) to the ssl module.

---------

Co-authored-by: Oleg Iarygin <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
    @salrashid123 salrashid123 mentioned this issue Apr 26, 2024
    Open
    Glyphack pushed a commit to Glyphack/cpython that referenced this issue Sep 2, 2024
    @grantramsay @arhadthedev
    @gpshead @Glyphack
    pythongh-63284: Add support for TLS-PSK (pre-shared key) to the ssl m…
    f9554b6 
    …odule (python#103181)

Add support for TLS-PSK (pre-shared key) to the ssl module.

---------

Co-authored-by: Oleg Iarygin <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @gpshead gpshead

    Labels
    3.13 bugs and security fixes stdlib Python modules in the Lib dir topic-SSL type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    10 participants
    @gpshead @tuxmaster5000 @jcea @pitrou @arhadthedev @grantramsay @doronz88 @michallowasrzechonek-silvair @gramsay0