Is Python SSL API thread-safe?

Grant Edwards grant.b.edwards at gmail.com
Sat Jan 28 15:02:48 EST 2017


On 2017-01-22, Christian Heimes <christian at python.org> wrote:

> OpenSSL and Python's ssl module are thread-safe. However IO is not
> safe concerning reentrancy. You cannot safely share a SSLSocket
> between threads without a mutex. Certain aspects of the TLS protocol
> can cause interesting side effects. A recv() call can send data
> across a wire and a send() call can receive data from the wire,
> e.g. during re-keying.

And it looks to me like the Python SSL module does all of that.  It
provides mutexes and thread ID and locking callbacks as described in
the page below:

  https://www.openssl.org/docs/man1.0.2/crypto/threads.html

According to that page above it's safe to share the socket between
threads:

   OpenSSL can safely be used in multi-threaded applications provided
   that at least two callback functions are set, locking_function and
   threadid_func.

They python ssl module code does that, so python ssl sockets should be
thread safe.

Can you explain why you disagree?

Can you provide example code that demonstrates a failure?

> In order to archive reentrancy, you have to do all IO yourself by
> operating the SSL connection in non-blocking mode or with a
> Memorio-BIO https://docs.python.org/3/library/ssl.html#ssl-nonblocking

That section is about how to work with non-blocking sockets.  I'm not
using non-blocking sockets.

-- 
Grant Edwards               grant.b.edwards        Yow! Now I'm concentrating
                                  at               on a specific tank battle
                              gmail.com            toward the end of World
                                                   War II!



More information about the Python-list mailing list