Not to derail this thread, but it may be worth looking into something like Android's network security config (https://developer.android.com/training/articles/security-config) in relation to PEP 543. 

One of the key takeaways from their analysis of a large number of applications which touched TLS libraries was that their developers often wanted to do simple and sane things but wound up doing complicated and insane ones. To combat that, they created a fairly lightweight declarative syntax for allowing narrow deviations from best practice. This syntax does not have the full flexibility of their API, but is enough to satisfy the needs of lots of developers and prevent lots of mistakes along the way.

In particular, I'd love to see some examples of how to achieve the same effects as the canonical network security config examples using a PEP 543 interface. If they're useful enough it may even be beneficial to wrap those up in a separate library, but at the very least it will help prove out that PEP 543 can do the most important things that developers will want it to do. If that already exists and I'm just ignorant of it, sorry for the noise.

Geremy Condra

On Fri, Nov 2, 2018 at 3:25 PM Brett Cannon <brett@python.org> wrote:
In case you never received a reply, you can try emailing Christian and Cory directly for an answer.

On Fri, 26 Oct 2018 at 13:20, Mathias Laurin <mathias.laurin@gmail.com> wrote:
Hello Python Dev,


I posted the following to python-ideas but here may be
a more suitable place.  I apologize if cross posting
bothers anyone.


I have implemented an (I believe) PEP 543-conform TLS library
and released TLS support in the latest version yesterday:

https://github.com/Synss/python-mbedtls/tree/0.13.0
https://pypi.org/project/python-mbedtls/0.13.0/


As far as I know, I am the first one to follow PEP 543.  So one
point is that the API works.  However, I have a couple of
questions regarding the PEP:

- I do not know what to do in `TLSWrappedBuffer.do_handshake()`.
 The full TLS handshake requires writing to the server, reading
 back, etc., (ClientHello, ServerHello, KeyExchange, etc.),
 which cannot be accomplished in a single buffer.

 For now, I am doing the handshake in
 `TLSWrappedSocket.do_handshake()`: I set the BIO to using the
 socket directly, then perform the handshake on the socket thus
 entirely bypassing the TLSWrappedBuffer.  Once this is done, I
 swap the BIO to using the buffer and go on encrypting and
 decrypting from the buffer.  That is, the encrypted
 communication is buffered.

- The PEP sometimes mentions an "input buffer" and an "output
 buffer", and some other times just "the buffer".  I believe
 that both implementations are possible.  That is, with two
 different buffers for input and output, or a single one.

 I have implemented it with a single circular buffer (that is a
 stream after all).  What the PEP is expecting is nonetheless
 not clear to me.


So, can anybody clarify these two points from the PEP?


Or should I just address Cory Benfield (who does not seem very
active anymore lately) and Christian Heimes directly?


Cheers,
Mathias
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/brett%40python.org
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/debatem1%40gmail.com