[pypy-dev] Validate SSL/TLS

Donald Stufft donald at stufft.io
Mon Jan 27 00:07:37 CET 2014 

On Jan 24, 2014, at 8:25 AM, Armin Rigo <arigo at tunes.org> wrote:

> Hi,
> 
> On Thu, Jan 23, 2014 at 5:28 PM, Maciej Fijalkowski <fijall at gmail.com> wrote:
>> Since I have absolutely no idea what you're talking about, let's start with:
> 
> Same for me.  Also, using another SSL library like PyOpenSSL is a good
> idea anyway --- on both CPython and PyPy.
> 
> If I had a choice I'd prefer to scrap the _ssl module from PyPy, but
> we can't because CPython has it too.  I wouldn't mind if using _ssl
> produced warnings on PyPy.  The alternative, which is coming up with
> better security features in the _ssl module, seems like a lot of work,
> of questionable use and safety (just use PyOpenSSL), and bound to
> break CPython compatibility.
> 
> 
> A bientôt,
> 
> Armin.

Sorry for the delay in responding to this.

Currently what I would like to do is backport the SSL hostname verification from CPython 3.x
to PyPy. Currently on CPython 2.x and PyPy if you wish to verify the hostname of SSL
connections you need to manually copy this backport into your code and use that. I think that
this is a sad state of affairs and would prefer to have it back ported to both CPython and PyPy.

The code I’ve seen in the wild tends to check for the existence of the functions that enable
this and fall back if they don’t exist. So this should just silently work for people. The benefit
of doing it in PyPy instead of each individual project is that it gives PyPy users a central
location to update if changes are needed to be made instead of needing to do this
in each project that does it.

The compatibly implications of this are:

1) Software written for CPython will continue to work out of the box with PyPy
2) Someone could write software that only worked on PyPy and CPython 3.x but not CPython 2.x

The CPython developers have thus far decided that back porting hostname verification to
CPython 2.x is not worth breaking the policy of no new features in 2.7. I disagree with this
conclusion fwiw.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/pypy-dev/attachments/20140126/c9a04712/attachment.sig>

More information about the pypy-dev mailing list