<div dir="ltr"><div dir="ltr">Not to derail this thread, but it may be worth looking into something like Android's network security config (<a href="https://developer.android.com/training/articles/security-config">https://developer.android.com/training/articles/security-config</a>) in relation to PEP 543. </div><div dir="ltr"><br></div><div dir="ltr">One of the key takeaways from their analysis of a large number of applications which touched TLS libraries was that their developers often wanted to do simple and sane things but wound up doing complicated and insane ones. To combat that, they created a fairly lightweight declarative syntax for allowing narrow deviations from best practice. This syntax does not have the full flexibility of their API, but is enough to satisfy the needs of lots of developers and prevent lots of mistakes along the way.</div><div dir="ltr"><br></div><div>In particular, I'd love to see some examples of how to achieve the same effects as the canonical network security config examples using a PEP 543 interface. If they're useful enough it may even be beneficial to wrap those up in a separate library, but at the very least it will help prove out that PEP 543 can do the most important things that developers will want it to do. If that already exists and I'm just ignorant of it, sorry for the noise.</div><div><br></div><div>Geremy Condra</div><div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Nov 2, 2018 at 3:25 PM Brett Cannon <<a href="mailto:brett@python.org">brett@python.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">In case you never received a reply, you can try emailing Christian and Cory directly for an answer.<br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, 26 Oct 2018 at 13:20, Mathias Laurin <<a href="mailto:mathias.laurin@gmail.com" target="_blank">mathias.laurin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Python Dev,<br>
<br>
<br>
I posted the following to python-ideas but here may be<br>
a more suitable place. I apologize if cross posting<br>
bothers anyone.<br>
<br>
<br>
I have implemented an (I believe) PEP 543-conform TLS library<br>
and released TLS support in the latest version yesterday:<br>
<br>
<a href="https://github.com/Synss/python-mbedtls/tree/0.13.0" rel="noreferrer" target="_blank">https://github.com/Synss/python-mbedtls/tree/0.13.0</a><br>
<a href="https://pypi.org/project/python-mbedtls/0.13.0/" rel="noreferrer" target="_blank">https://pypi.org/project/python-mbedtls/0.13.0/</a><br>
<br>
<br>
As far as I know, I am the first one to follow PEP 543. So one<br>
point is that the API works. However, I have a couple of<br>
questions regarding the PEP:<br>
<br>
- I do not know what to do in `TLSWrappedBuffer.do_handshake()`.<br>
The full TLS handshake requires writing to the server, reading<br>
back, etc., (ClientHello, ServerHello, KeyExchange, etc.),<br>
which cannot be accomplished in a single buffer.<br>
<br>
For now, I am doing the handshake in<br>
`TLSWrappedSocket.do_handshake()`: I set the BIO to using the<br>
socket directly, then perform the handshake on the socket thus<br>
entirely bypassing the TLSWrappedBuffer. Once this is done, I<br>
swap the BIO to using the buffer and go on encrypting and<br>
decrypting from the buffer. That is, the encrypted<br>
communication is buffered.<br>
<br>
- The PEP sometimes mentions an "input buffer" and an "output<br>
buffer", and some other times just "the buffer". I believe<br>
that both implementations are possible. That is, with two<br>
different buffers for input and output, or a single one.<br>
<br>
I have implemented it with a single circular buffer (that is a<br>
stream after all). What the PEP is expecting is nonetheless<br>
not clear to me.<br>
<br>
<br>
So, can anybody clarify these two points from the PEP?<br>
<br>
<br>
Or should I just address Cory Benfield (who does not seem very<br>
active anymore lately) and Christian Heimes directly?<br>
<br>
<br>
Cheers,<br>
Mathias<br>
_______________________________________________<br>
Python-Dev mailing list<br>
<a href="mailto:Python-Dev@python.org" target="_blank">Python-Dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-dev</a><br>
Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/brett%40python.org" rel="noreferrer" target="_blank">https://mail.python.org/mailman/options/python-dev/brett%40python.org</a><br>
</blockquote></div>
_______________________________________________<br>
Python-Dev mailing list<br>
<a href="mailto:Python-Dev@python.org" target="_blank">Python-Dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-dev</a><br>
Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/debatem1%40gmail.com" rel="noreferrer" target="_blank">https://mail.python.org/mailman/options/python-dev/debatem1%40gmail.com</a><br>
</blockquote></div>