[Python-Dev] ssl
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Sat Jun 5 15:11:09 CEST 2010
On 08:34 am, kristjan at ccpgames.com wrote:
>Hello there.
>I wanted to do some work on the ssl module, but I was a bit daunted at
>the prerequisites. Is there anywhere that I can get at precompiled
>libs for the openssl that we use?
>In general, gettin all those "external" projects seem to be complex to
>build. Is there a fast way?
I take it the challenge is that you want to do development on Windows?
If so, this might help:
http://www.slproweb.com/products/Win32OpenSSL.html
It's what I use for any Windows pyOpenSSL development I need to do.
>
>What I want to do, is to implement a separate BIO for OpenSSL, one that
>calls back into python for writes and reads. This is so that I can use
>my own sockets implementation for the actual IO, in particular, I want
>to funnel the encrypted data through our IOCompletion-based stackless
>sockets.
For what it's worth, Twisted's IOCP SSL support is implemented using
pyOpenSSL's support of OpenSSL memory BIOs. This is a little different
from your idea: memory BIOs are a built-in part of OpenSSL, and just
give you a buffer from which you can pull whatever bytes OpenSSL wanted
to write (or a buffer into which to put bytes for OpenSSL to read).
I suspect this would work well enough for your use case. Being able to
implement an actual BIO in Python would be pretty cool, though.
>
>If successful, I think this would be a useful addition to ssl.
>You would do something like:
>
>class BIO():
> def write(): pass
> def read(): pass
>
>from ssl.import
>bio = BIO()
>ssl_socket = ssl.wrap_bio(bio, ca_certs=...)
Hopefully this would integrate more nicely with the recent work Antoine
has done with SSL contexts. The preferred API for creating an SSL
connection is now more like this:
import ssl
ctx = ssl.SSLContext(...)
conn = ctx.wrap_socket(...)
So perhaps you want to add a wrap_bio method to SSLContext. In fact,
this would be the more general API, and could supercede wrap_socket:
after all, socket support is just implemented with the socket BIOs.
wrap_socket would become a simple wrapper around something like
wrap_bio(SocketBIO(socket)).
>
>I am new to OpenSSL, I haven't even looked at what a BIO looks like,
>but I read this: http://marc.info/?l=openssl-
>users&m=99909952822335&w=2
>which indicates that this ought to be possible. And before I start
>experimenting, I need to get my OpenSSL external ready.
>
>Any thoughts?
It should be possible. One thing that's pretty tricky is getting
threading right, though. Python doesn't have to deal with this problem
yet, as far as I know, because it never does something that causes
OpenSSL to call back into Python code. Once you have a Python BIO
implementation, this will clearly be necessary, and you'll have to solve
this. It's certainly possible, but quite fiddly.
Jean-Paul
More information about the Python-Dev
mailing list