[Python-Dev] Let's make the SSL module sane
Christian Heimes
christian at python.org
Sat Sep 10 15:20:17 EDT 2016
On 2016-09-10 17:24, Nick Coghlan wrote:
> On 11 September 2016 at 00:22, Christian Heimes <christian at python.org> wrote:
>> First I like to deprecated some old APIs and favor of SSLCotext. We have
>> multiple ways to create a SSL socket or to configure libraries like
>> urllib. The general idea is to make SSLContext the central object for
>> TLS/SSL configuration. My patch deprecates ssl.wrap_socket()
>
> I'll bring over my question from the tracker issue to here: there's a
> subset of ssl.wrap_socket() arguments which actually make sense as
> arguments to ssl.get_default_context().wrap_socket().
>
> Accordingly, we can pick a subset of code (e.g. SSL/TLS clients) that
> we bless with not needing to change, leaving only code using
> deprecated parameters or creating server sockets that needs to be
> updated.
Do you consider ssl.wrap_socket() relevant for so many projects? The
function hurts performance and is no longer best practice. The
deprecation of ssl.wrap_socket() is a friendly nudge. I don't mind to
keep it around for another four or six years.
There is one other use case not covered by SSLContext.wrap_socket() but
by SSLSocket.__init__(). The SSLSocket constructor takes a fileno
argument. But it's an undocumented feature and it's broken since at
least 3.3. https://bugs.python.org/issue27629
> As with past network security changes, a major factor we need to
> account for is that no matter how valuable a particular goal is from a
> broader industry perspective, people don't tend to react to API breaks
> by fixing their code - they react by not upgrading at all.
I totally agree and have been verify careful to keep backwards
compatibility. My third patch breaks just one scenario:
ssl.create_default_context(purpose=Purpose.SERVER_AUTH) no longer
supports server-side connections and CLIENT_AUTH no longer client-side
connections. It's the good kind of incompatibility because it reveals
API misuse. Application should never have used SERVER_AUTH context to
create server sockets.
Christian
More information about the Python-Dev
mailing list