[Python-Dev] Re: Python and SSL

Martin Sjögren martin@strakt.com
Wed, 11 Jul 2001 16:12:21 +0200 

On Wed, Jul 11, 2001 at 03:33:21PM +0200, M.-A. Lemburg wrote:
> "Martin Sj=F6gren" wrote:
> > I'm currently in the process of developing a basic OpenSSL module for
> > Python. Before you say antyhing, yes I know about M2Crypto and its SS=
L
> > support, but for a number of reasons, it doesn't fulfill our needs.
>=20
> Note that there's also amkCrypto (the successor of mxCrypto which
> is a wrapper of the low-level blazing fast tools in OpenSSL):
>=20
> 	http://www.amk.ca/python/code/crypto.html

Yeah I looked at this too, but it doesn't have the things I'm interested
in (SSL_write,read,... etc). At first glance it looks like this module an=
d
my module complement each other, but I may be wrong :-)

> > We found the SSL support in Python to be insufficient (nonexistent :-=
))
> > for our needs.  We thus decided to write our own module.
> >=20
> > The module is faaaar from complete as an interface to the general
> > cryptographic functionality of OpenSSl, but it does have basic SSL
> > support, including authorization using certificates, PRNG seeding
> > functions and an error handling system.
>=20
> There is some support in the socket module for dealing HTTPS.
> Which level of OpenSSL are you focussing (ciphers, certificates
> or protocol) ?

We're using SSL to secure the communication in a client/server situation,
using certificates for authentication. Basically, my module is what we
think we need right now, no more, no less. Given that, I may continue wor=
k
on it, as our need changes.

> > The whole kit (including some documentation) can be found here:
> > http://www.strakt.com/~martin/pyOpenSSL.tar.gz
> >=20
> > My question is... What do I do now? Where to proceed?
>=20
> Since the module is "far from complete", I'd suggest to put the project
> up on the web somewhere to let it mature.=20

"faaaar from complete" in that it doesn't do everything OpenSSL does! I'd
like to think that it's pretty well contained, and can be used for exactl=
y
the kind of things we are going to use it for.

Nevertheless, letting it mature isn't a bad idea. What is badly needed is
getting it compiled and checked on windows. We're doing all our
development under Linux, and while it's sufficient that the server (which
is written in C and Python) runs on *IX, the client most definitely must
run on Windows.

Any suggestion where to put it so that it's found? The Vaults of Parnassu=
s
I guess, are there any other interesting spots?

> I am not sure whether it's a good idea to put
> crypto code into the standard Python distribution due to the issues
> involved in this (import/export restrictions, etc.), but
> perhaps we could open up the Python core a bit for these
> "extra" utilities and make them available as separate download
> alongside the standard ones.

I agree with that, but one can argue that since all cryptographic stuff i=
s
actually done by the OpenSSL library, this module won't even get compiled
and installed unless you have OpenSSL on your machine already. As they sa=
y
on SlashDot, IANAL, and I'm not American so it's not that big a problem
for me personally.

> > Please CC me replies, since I'm (of course) not on the list.

This is still relevant ;) I haven't seen a reply to my subscribe-request
yet.

Martin

--=20
Martin Sj=F6gren
  martin@strakt.com              ICQ : 41245059
  Phone: +46 (0)31 405242        Cell: +46 (0)739 169191
  GPG key: http://www.strakt.com/~martin/gpg.html