[Python-Dev] Future of SSL

Gerhard Häring gerhard@bigfoot.de
Sat, 27 Oct 2001 01:42:12 +0200 

First I'd like to say hello. I'm new to this list :-)

I've some concerns with the latest development wrt SSL development in
Python.

The SSL support in the Python core seems to have been added with Python
2.0, and Guido told me in a SF patch discussion, that Pythonlabs doesn't
know the code very well. Meanwhile it seems like Jeremy has tried fixing
bugs. I've also submitted several patches to the SSL code.

As you might know, there are several third-party SSL implementatations
for Python (m2crypto, pyOpenSSL, POW). I've contacted the maintainers of
these packages and asked them if they'd like to review my patches.

The two that answered told me that the reason they implemented their own
packages was that the SSL support in Python itself was very incomplete
and, to sum it up, Python's SSL is just plain broken.

The current state is that there is a single ssl() method in the socket
module that can be used to instantiate client-side SSL connections.
There's also a patch on Sourceforge that adds server-side SSL
functionality.

Several points why the current API is broken:
- no support for specifying the SSL protocol (SSL v2/SSL v3/SSL v2|3)
- no proper certicate checking
- SSL objects are neither compatible with sockets nor are they file-like
  objects
- no advanced features like SSL callbacks (to allow the user to accept a
  cerficicate, for example)

What I'd suggest for Python 2.2 is to *not* add any new features, like
server-side SSL but only accept bugfixes for the current client-side
code.

As the current implementation is broken and there is probably little SSL
knowledge in the Python core team, I propose to "outsource" the problem:

It should be possible to define a "Python SSL interface" that describes
an API for SSL. The various modules in Python that use SSL (urllib,
smtp, ...) would then be rewritten to use the new API. The
socketmodule.c would be rewritten to use the new API instead.

Then, wrappers could be written for the various SSL modules that wrap
them into the new "Python SSL interface" API.

As for me, I'm not an expert in SSL, but I'd be willing to try
coordinate the efforts, write a PEP, talk with the module maintainers
and such.

I'd be grateful to hear your opinions about this newbie proposal :-)

Gerhard
-- 
mail:   gerhard <at> bigfoot <dot> de       registered Linux user #64239
web:    http://www.cs.fhm.edu/~ifw00065/    OpenPGP public key id 86AB43C0
public key fingerprint: DEC1 1D02 5743 1159 CD20  A4B6 7B22 6575 86AB 43C0
reduce(lambda x,y:x+y,map(lambda x:chr(ord(x)^42),tuple('zS^BED\nX_FOY\x0b')))