[Python-Dev] Backport ssl.MemoryBIO on Python 2.7? (original) (raw)

Victor Stinner victor.stinner at gmail.com
Tue May 23 20:54:34 EDT 2017

Well, things evolved recently. asyncio is getting more popular, TLS became even more important, and pyOpenSSL is not more evolving (from what I heard from his maintainer, Hynek). Does Twister still use pyOpenSSL?

I like the idea of putting more security stuff into Python to ease maintainance of applications and try to make it as security as possible. Python has more resources (ex: CI) than some smaller projects.

Victor

2017-05-23 19:49 GMT-05:00 Alex Gaynor <alex.gaynor at gmail.com>:

I'm +1 on this, I even wrote the patch: https://bugs.python.org/issue22559 :-) If you're interested in making sure that still applies and tests still pass, I'd be a big fan.

In addition to all the benefits you mentioned, it also substantially reduces the diff between 2.7 and 3.x (or at least it did when I originally wrote it). Cheers, Alex On Tue, May 23, 2017 at 8:46 PM, Victor Stinner <victor.stinner at gmail.com> wrote:

Hi, Would you be ok to backport ssl.MemoryBIO and ssl.SSLObject on Python 2.7? I can do the backport. https://docs.python.org/dev/library/ssl.html#ssl.MemoryBIO Cory Benfield told me that it's a blocking issue for him to implement his PEP 543 -- A Unified TLS API for Python 2.7: https://www.python.org/dev/peps/pep-0543/ And I expect that if a new cool TLS API happens, people will want to use it on Python 2.7-3.6, not only on Python 3.7. Security evolves more quickly that the current Python release process, and people wants to keep their application secure. From what I understood, he wants to first implement an abstract MemoryBIO API (http://sans-io.readthedocs.io/ like API? I'm not sure about that), and then implement a socket/FD based on top of that. Maybe later, some implementations might have a fast-path using socket/FD directly. He described me his PEP and I strongly support it (sorry, I missed it when he posted it on python-dev), but we decided (Guido van Rossum, Christian Heimes, Cory Benfield and me, see the tweet below) to not put this in the stdlib right now, but spend more time on testing it on Twisted, asyncio, requests, etc. So publishing an implementation on PyPI was proposed instead. It seems like we agreed on a smooth plan (or am I wrong, Cory?). https://twitter.com/VictorStinner/status/865467388141027329 I'm quite sure that Twisted will love MemoryBIO on Python 2.7 as well, to implement TLS, especially on Windows using IOCP. Currently, external libraries (C extensions) are required. I'm not sure if the PEP 466 should be amended for that? Is a new PEP really needed? MemoryBIO/SSLObject are tiny. Nick (Coghlan): what do you think? https://www.python.org/dev/peps/pep-0466/ Victor

-- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6

More information about the Python-Dev mailing list