On 11/30/2022 4:52 PM, christer@weinigel.se wrote:
> Does this seem like a good idea? As I said, I feel that it is a bit ugly, but it does mean that if someone wants to use some SSL_really_obscure_function in libcrypto or libssl they can do that without having to rebuild all of CPython themselves.
Broadly, no, I don't think it's a good idea. We don't like encouraging
users to do things that make it hard to support them in the future.
Nonetheless, it's one that I've had to do, and so realistically I think
it's okay to *enable* the hack without endorsing it. This is one of the
reasons I switched the Windows builds to dynamically linked OpenSSL
builds (they used to be statically linked, which meant there was no way
to get at the unused exports). So now you can use `import _ssl;
ctypes.CDLL("libssl-1_1")` to get at other exports from the module if
you need them, and there's a similar trick to get the raw handle that I
don't recall off the top of my head.
But the only reason I'd ever want to document this is to tell people not
to rely on it. If you control your environment well enough that you can
guarantee it'll work for you, that's great. Nobody else should ever
think they're doing the "right thing".
+1 ... and in general if you want access to other OpenSSL APIs not already in the ssl module, getting them via non-stdlib packages on PyPI would be a better idea.
So if you want specific OpenSSL APIs that are not exposed, seeking to see them added to the standard library where they would then become features that need to be supported for a very long time, is going to be the most difficult approach as there'd need to be a very good reason to have them in the stdlib. Third party libraries that can provide what you need, or rolling your own libssl API wrappings however you choose to implement them, are better bets.
-Greg