[Python-Dev] Python stdlib ssl.SSLContext is missing mode setting ability (original) (raw)

Cory Benfield cory at lukasa.co.uk
Thu Nov 19 03:14:17 EST 2015

On 19 Nov 2015, at 03:53, Ben Bangert <ben at groovie.org> wrote:

In Python 2 and 3, the ssl module's SSLContext object has a way to set SSL options, but not to set SSL modes. The setmode command and some of the available modes: https://www.openssl.org/docs/manmaster/ssl/SSLCTXsetmode.html The most critical mode is SSLMODERELEASEBUFFERS, which can drop the SSL overhead per connection from around 25kb to ~7kb. The pyopenssl library allows the setting of SSLContext modes, it seems very odd that the Python 2/3 ssl modules do not. Though I could understand that perhaps not all SSL libraries Python might build against would have this mode thing available.

Ben,

Do we need the ability to set arbitrary modes? Most of the modes mentioned in the OpenSSL documentation are things we actively don’t want the user to set because stuff will randomly break. With that in mind, and with the fact that SSL_MODE_RELEASE_BUFFERS is so obviously better than the standard, should we just instead have the ssl module automatically set SSL_MODE_RELEASE_BUFFERS unconditionally?

If so, I’m happy to submit a bug/patch to get that to happen.

Cory

-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20151119/4996b1d1/attachment.sig>

More information about the Python-Dev mailing list