Python ssl problem with multiprocessing

Question

I want to send data from a client to the server in a TLS TCP socket from multiple client subprocesses so I share the same ssl socket with all subprocesses. Communication works with one subprocess, but if I use more than one subprocesses, the TLS server crashes with an ssl.SSLError (SSL3_GET_RECORD:decryption failed or bad record mac).

More specific: It does not depend which process first calls the SSLSocket.write() method, but this process is the only one from this time on which can call it. If another process calls write(), the server will result in the exception described above.

I used this basic code:

tlsserver.py

import socket, ssl

def deal_with_client(connstream):
    data = connstream.read()
    while data:
        print data
        data = connstream.read()
    connstream.close()

bindsocket = socket.socket()
bindsocket.bind(('127.0.0.1', 9998))
bindsocket.listen(5)

while True:
    newsocket, fromaddr = bindsocket.accept()
    connstream = ssl.wrap_socket(newsocket,
                                server_side=True,
                                certfile="srv.crt",
                                keyfile="srv.key",
                                ssl_version=ssl.PROTOCOL_TLSv1)
    deal_with_client(connstream)

tlsclient.py

import socket, ssl
import multiprocessing

class SubProc:
    def __init__(self, sock):
        self.sock = sock

    def do(self):
        self.sock.write("Test")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

ssl_sock = ssl.wrap_socket(s)
ssl_sock.connect(('127.0.0.1', 9998))

print "Connected to", repr(ssl_sock.getpeername())

for x in (1,2):
    subproc = SubProc(ssl_sock)
    proc = multiprocessing.Process(target=subproc.do)

And this is the backtrace:

Traceback (most recent call last):
  File "tlsserver.py", line 21, in <module>
    deal_with_client(connstream)
  File "tlsserver.py", line 7, in deal_with_client
    data = connstream.read()
  File "/usr/lib64/python2.6/ssl.py", line 136, in read
    return self._sslobj.read(len)
ssl.SSLError: [Errno 1] _ssl.c:1325: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

Answer 1

The problem is that you're re-using the same connection for both processes. The way SSL encrypts data makes this fail -- the two processes would have to communicate with each other about the state of the shared SSL connection. Even if you do make it work, or if you didn't use SSL, the data would arrive at the server all jumbled up; you would have no real way of distinguishing which bytes came from which process.

What you need to do is give each process its own SSL connection, by making the connection in subproc.do. Alternatively, don't have the subprocesses communicate with the server at all, but rather communicate with the main process, and have the main process relay it over the SSL connection.