[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Cory Benfield cory at lukasa.co.uk
Thu Jun 8 16:49:49 EDT 2017


> On 8 Jun 2017, at 21:17, Donald Stufft <donald at stufft.io> wrote:
> 
>> 
>> On Jun 8, 2017, at 3:57 PM, Steve Dower <steve.dower at python.org <mailto:steve.dower at python.org>> wrote:
>> 
>> Awesome, this is exactly what I needed to see.
>> 
>> What if Python 2.7 just exposed the OpenSSL primitives necessary so that ctypes could use them? Is that a viable approach here? Presumably then a MemoryBIO backport could be pure-Python.
>> 
>> It doesn't help the other *ythons, but unless they have MemoryBIO implementations ready to backport then I can't think of anything that will help them short of a completely new API.
>> 
> 
> 
> I would have to let Cory answer the question about feasibility here since he’s much more familiar with OpenSSL’s API (and even binding something like this with ctypes) than I am. The first thing that really stands out to me though is it just feels a bit like shuffling deckchairs?

The short answer is that, while it’s do-able, we have some problems with ABI compatibility. OpenSSL 1.1 and 1.0 are ABI incompatible, so I have to write divergent ctypes code to handle each case. It may also be relevant to support OpenSSL 0.9.x so we roll into the same ABI compatibility concern all over again. Doubly annoyingly a bunch of OpenSSL code in 1.0 is actually macros which don’t work in ctypes so there’ll be a lot of futzing about in structures to get what I need to do done.

This also doesn’t get into the difficulty of some operating systems shipping a LibreSSL masquerading as an OpenSSL, which is subtly incompatible in ways I don’t fully understand at this time.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170608/eeb0dc77/attachment.html>


More information about the Python-Dev mailing list