[Python-Dev] PEP 466 (round 4): Python 2.7 network security enhancements (original) (raw)

Antoine Pitrou solipsis at pitrou.net
Tue Mar 25 16:10:54 CET 2014

On Tue, 25 Mar 2014 14:25:29 +0000 Paul Moore <p.f.moore at gmail.com> wrote:

On 25 March 2014 13:47, Nick Coghlan <ncoghlan at gmail.com> wrote: > It's not like we're going to just be giving the PEP to vendors as a spec and > leaving them to it - it's largely an invitation to participate more directly > upstream to help resolve a particularly thorny problem, not a Statement of > Work :)

:-) I don't really know the APIs involved, but AIUI one of the 3.4 enhancements is exposing the SSLContext.

No, it was done as soon as 3.2. Note that exposing SSLContext doesn't achieve anything in itself, until you also add relevant APIs to query and influence the SSLContext's internal state (which was done gradually in 3.2, 3.3 and 3.4).

Separate enhancements have to do with strengthening the default SSL options and accepted SSL ciphers; when they didn't add new APIs or threatened to break legitimate use case, they have even been applied to bugfix branches.

Is the code to do this compatible with the version of OpenSSL bundled with Python 2.7 on Windows?

It is. Actually, we have (or had) buildbots with older OpenSSL versions!

The problem with backporting SSLContext is really that 1) you are adding a non-minimal new API set to the 2.7 feature set; 2) you must make it so that other stdlib modules take advantage of the new APIs (otherwise why bother?).

This "I've written a patch but it hasn't been applied" is the type of scenario that puts people off contributing.

In the case of ssl, I think I've tried to apply most interesting and finished patches. This is how you get features such as NPN protocols or server-side SNI.

Regards

Antoine.

More information about the Python-Dev mailing list