pynetdicom
pynetdicom copied to clipboard
pydicom
No support for TLS v1.3 (with OpenSSL 1.1.1)
Describe the bug Attempting to associate as the Requestor with SSL/TLS and OpenSSL 1.1.1 causes the association to hang before any data is sent to the peer.
Expected behavior The A-ASSOCIATE-RQ PDU should get sent and the association proceed as normal.
Steps To Reproduce Have OpenSSL 1.1.1 installed and run:
pytest test_transport.py::TestTLS::test_tls_yes_server_yes_client
pytest test_transport.py::TestTLS::test_tls_transfer
Update 2020-01-15
Original issue was due to using TLS v1.3. Python support for TLS v1.3 is currently considered "provisional and experimental" and is therefore not supported by pynetdicom. Use TLS v1.2 (or whichever protocol you prefer) instead.
Occurs because AssociationSocket.ready uses select.select() to determine if there's data to be read and for some reason select() is always saying there is, even when there doesn't appear to be?
Works OK on the server socket and with OpenSSL 1.0.1f and 1.1.0g. Might be a python or openssl bug?
With Python 3.8rc1 the two unit tests only fail intermittently instead of always. Progress!
Given they fail intermittently there may be a way to fix this permanently.
Python support for TLS v1.3 is "provisional and experimental". It will also likely require a rewrite of the pynetdicom networking code to use non-blocking IO. Therefore pynetdicom currently only supports TLS up to version 1.2 until Python support for v1.3 stabilises and support for Python 2 ends.
It might be a good time to revisit this issue. Python 3.10 now requires OpenSSL 1.1.1 for the ssl module. As of Python 3.7, it should be possible to discover compatibility using ssl.HAS_TLSv1_3.
Agreed, I've been waiting for it all to mature before looking at it again
I think we're good to go? This was much easier than I was expecting, mostly I think because the required fix(es) had already been spotted and merged earlier.