Issue 29810: Rename ssl.Purpose.{CLIENT,SERVER}_AUTH - Python tracker (original) (raw)

Created on 2017-03-14 16:17 by alex, last changed 2022-04-11 14:58 by admin.

Messages (5)
msg289601 - (view)	Author: Alex Gaynor (alex) *	Date: 2017-03-14 16:17
The names are super misleading. First, they're written in a way that's the opposite of how people think about these things (CLIENT_AUTH -> server socket; SERVER_AUTH -> client socket). Second, they're misleading, you can have TLS which is *mutually* authenticated. Third, CLIENT_AUTH is very frequently used for a server socket where the client isn't authenticated (at the TLS layer) at all! A simple fix would be to add: Purpose.{CLIENT,SERVER}_SOCKET and alias the old names to those values.
msg289604 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2017-03-14 16:38
For 3.7 I'm planning to move to protocols instead of purpose oids (PROTOCOL_TLS_CLIENT, PROTOCOL_TLS_SERVER).
msg289605 - (view)	Author: Alex Gaynor (alex) *	Date: 2017-03-14 16:40
Ah, so instead of PROTOCOL_SSLv23 using PROTOCOL_TLS_CLIENT and deprecating the Purpose bits entirely? That sounds good to me!
msg289606 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2017-03-14 16:48
Yes, I'm planning a PEP to make the SSL module a bit more sane: 1) deprecate all protocols except for PROTOCOL_TLS_CLIENT / PROTOCOL_TLS_SERVER 2) deprecate purpose in favor of PROTOCOL_TLS_* 3) PROTOCOL_TLS_CLIENT defaults to CERT_REQUIRED, match_hostname=True
msg289607 - (view)	Author: Alex Gaynor (alex) *	Date: 2017-03-14 16:48
Sounds good to me!