[issue43902] ssl module: add getter for SSL_CTX* and SSL*
Christian Heimes
report at bugs.python.org
Wed Apr 21 03:59:53 EDT 2021
New submission from Christian Heimes <lists at cheimes.de>:
Python's ssl module exposes a limited and opinionated set of knobs to tune OpenSSL's behavior. Each new setter, getter, or function must be carefully design, tested, and documented. For each feature OpenSSL's C API must be converted into a Pythonic, self-explanatory interface.
I would like to give experts and power users an interface to set advanced options. libffi-based solutions like ctypes and cffi are obvious choices. For libffi to work, users need to be able to get the address of ssl.SSLContext()'s SSL_CTX pointer and the SSL* pointer of the internal _SSLSocket object.
While it's possible to use pointer arithmetic with id(ctx) + offset, I would like to add a more convenient way. Pointer arithmetic with ctypes is non-trivial. Users would have to rely on internal, private layout of PySSLContext and PySSLSocket struct. I'm considering two new methods ctx._ssl_ctx_addr and ssl._ssl_addr (names are tentative).
>>> import ssl, ctypes
>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
>>> libssl = ctypes.CDLL("libssl.so.1.1") # ssl._ssl.__file__ works, too
>>> libssl.SSL_CTX_set_ciphersuites(ctx._ssl_ctx_addr(), b"TLS_CHACHA20_POLY1305_SHA256")
1
Steve, Nathaniel, how do you like the idea in general? Do you have better ideas for function names?
----------
assignee: christian.heimes
components: SSL
messages: 391498
nosy: christian.heimes, njs, steve.dower
priority: normal
severity: normal
stage: patch review
status: open
title: ssl module: add getter for SSL_CTX* and SSL*
type: enhancement
versions: Python 3.10, Python 3.11
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43902>
_______________________________________
More information about the Python-bugs-list
mailing list