[Python-Dev] Backport ssl.MemoryBIO on Python 2.7? (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Thu May 25 09:22:39 EDT 2017

• Previous message (by thread): [Python-Dev] Backport ssl.MemoryBIO on Python 2.7?
• Next message (by thread): [Python-Dev] Backport ssl.MemoryBIO on Python 2.7?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25 May 2017 at 21:24, Antoine Pitrou <solipsis at pitrou.net> wrote:

The new TLS API wouldn't significantly improve security. It's just a different API.

It isn't just a different API. It's an API with backends for the native TLS implementations on WIndows and Mac OS X.

This means that instead of attempting to extract system certs and inject them into a bundled copy of OpenSSL, it becomes viable to just use the operating system provided security services and behave the same was as any other native application (at least as far as secure network connections are concerned).

Ideally, it would be good to get to a point where we can stop bundling OpenSSL entirely on Windows and Mac OS X, such that OpenSSL CVEs stop automatically turning into CPython CVEs, and we can instead delegate the task of prompt network security stack updates to the OS provider, the same way we do for non-Apple *nix systems.

Even if it isn't feasible to get Python 2.7 to that happy state by 2020, we may at least be able to get to a point where most routine TLS connections from Python 2.7 applications are using an OS provided TLS implementation, so their network security is less dependent on receiving updates to the Python level components of their stack.

I also understood that getting access to system CA allows admins to register their company CA and so avoid that users ignore the TLS warning (unknown CA). System admins can add the company CA at the system level in the system's CA cert store, they have no need for a Python API. Actually, they certainly don't want to modify every Python application to add a company CA.

The state of affairs that you're citing as undesirable is pretty much the way things currently work. Most Python applications still won't see system level certificates on Windows and Mac OS X, and they often won't see them even on Linux and *BSD systems (unless they're running directly in the system Python and using the system-provided requests module (which gets patched to use the system certs rather than the default Mozilla bundle).

Cheers, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

• Previous message (by thread): [Python-Dev] Backport ssl.MemoryBIO on Python 2.7?
• Next message (by thread): [Python-Dev] Backport ssl.MemoryBIO on Python 2.7?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list