[Python-Dev] PEP 466 (round 4): Python 2.7 network security enhancements
Antoine Pitrou
solipsis at pitrou.net
Tue Mar 25 16:10:54 CET 2014
On Tue, 25 Mar 2014 14:25:29 +0000
Paul Moore <p.f.moore at gmail.com> wrote:
> On 25 March 2014 13:47, Nick Coghlan <ncoghlan at gmail.com> wrote:
> > It's not like we're going to just be giving the PEP to vendors as a spec and
> > leaving them to it - it's largely an invitation to participate more directly
> > upstream to help resolve a particularly thorny problem, not a Statement of
> > Work :)
>
> :-)
>
> I don't really know the APIs involved, but AIUI one of the 3.4
> enhancements is exposing the SSLContext.
No, it was done as soon as 3.2. Note that exposing SSLContext doesn't
achieve anything *in itself*, until you also add relevant APIs to
query and influence the SSLContext's internal state (which was done
gradually in 3.2, 3.3 and 3.4).
Separate enhancements have to do with strengthening the default SSL
options and accepted SSL ciphers; when they didn't add new APIs or
threatened to break legitimate use case, they have even been applied to
bugfix branches.
> Is the code to do this
> compatible with the version of OpenSSL bundled with Python 2.7 on
> Windows?
It is. Actually, we have (or had) buildbots with older OpenSSL versions!
The problem with backporting SSLContext is really that 1) you are adding
a non-minimal new API set to the 2.7 feature set; 2) you must make it so
that other stdlib modules take advantage of the new APIs (otherwise
why bother?).
> This "I've written a patch but it hasn't been applied" is the type of
> scenario that puts people off contributing.
In the case of ssl, I think I've tried to apply most interesting and
finished patches. This is how you get features such as NPN protocols or
server-side SNI.
Regards
Antoine.
More information about the Python-Dev
mailing list