On 2017-01-26 08:49, Nick Coghlan wrote: [...]
Option 5: as with Option 4, but the "ssl" module is also changed such that it *always* defines at least ssl.SSLError, ssl.SSLWantReadError, and ssl.SSLWantWriteError (and perhaps some of the other APIs that can be emulated atop the new tls abstraction), even if OpenSSL itself is unavailable [...] Option 5 would cover even that last case: legacy API consumers that only relied on being able to catch the legacy exceptions would tolerate the use of non-OpenSSL backends even in environments where OpenSSL itself wasn't available
Hi Nick, I'm a bit worried that option 5 is wasting resources and/or has unwanted side effects. Import of ssl is costly because it also loads and initializes OpenSSL. It's an unnecessary burden for applications that do not wish to use OpenSSL (macOS SecureTransport, Windows SChannel) at all or not the bundled OpenSSL version (static builds of cryptography). How about we move the exceptions and the base class for the TLSWrappedSocket to the `socket` module instead? In CPython the exception would live in _socket and get exported as PyCapsule. The socket module provides class TLSError(OSError): """socket.TLSError""" class TLWantWriteError(TLSError): """socket.TLSWantWriteError""" class TLWantReadError(TLSError): """socket.TLSWantReadError""" class AbstractSocket(meta=abc.ABCMeta) """socket.AbstractSockt""" The tls module provides: import socket from socket import TLSError, TLSWantReadError, TLSWantWriteError class TLSWrappedSocket(socket.AbstractSocket): pass Christian