[Python-Dev] ssl

Sat Jun 5 15:11:09 CEST 2010

On 08:34 am, kristjan at ccpgames.com wrote:
>Hello there.
>I wanted to do some work on the ssl module, but I was a bit daunted at 
>the prerequisites.  Is there anywhere that I can get at precompiled 
>libs for the openssl that we use?
>In general, gettin all those "external" projects seem to be complex to 
>build.  Is there a fast way?

I take it the challenge is that you want to do development on Windows? 
If so, this might help:

  http://www.slproweb.com/products/Win32OpenSSL.html

It's what I use for any Windows pyOpenSSL development I need to do.
>
>What I want to do, is to implement a separate BIO for OpenSSL, one that 
>calls back into python for writes and reads.  This is so that I can use 
>my own sockets implementation for the actual IO, in particular, I want 
>to funnel the encrypted data through our IOCompletion-based stackless 
>sockets.

For what it's worth, Twisted's IOCP SSL support is implemented using 
pyOpenSSL's support of OpenSSL memory BIOs.  This is a little different 
from your idea: memory BIOs are a built-in part of OpenSSL, and just 
give you a buffer from which you can pull whatever bytes OpenSSL wanted 
to write (or a buffer into which to put bytes for OpenSSL to read).

I suspect this would work well enough for your use case.  Being able to 
implement an actual BIO in Python would be pretty cool, though.
>
>If successful, I think this would be a useful addition to ssl.
>You would do something like:
>
>class BIO():
>  def write(): pass
>  def read(): pass
>
>from ssl.import
>bio = BIO()
>ssl_socket = ssl.wrap_bio(bio, ca_certs=...)

Hopefully this would integrate more nicely with the recent work Antoine 
has done with SSL contexts.  The preferred API for creating an SSL 
connection is now more like this:

    import ssl
    ctx = ssl.SSLContext(...)
    conn = ctx.wrap_socket(...)

So perhaps you want to add a wrap_bio method to SSLContext.  In fact, 
this would be the more general API, and could supercede wrap_socket: 
after all, socket support is just implemented with the socket BIOs. 
wrap_socket would become a simple wrapper around something like 
wrap_bio(SocketBIO(socket)).
>
>I am new to OpenSSL, I haven't even looked at what a BIO looks like, 
>but I read this:  http://marc.info/?l=openssl- 
>users&m=99909952822335&w=2
>which indicates that this ought to be possible.  And before I start 
>experimenting, I need to get my OpenSSL external ready.
>
>Any thoughts?

It should be possible.  One thing that's pretty tricky is getting 
threading right, though.  Python doesn't have to deal with this problem 
yet, as far as I know, because it never does something that causes 
OpenSSL to call back into Python code.  Once you have a Python BIO 
implementation, this will clearly be necessary, and you'll have to solve 
this.  It's certainly possible, but quite fiddly.

Jean-Paul