[Python-Dev] PEP 543-conform TLS library
Mathias Laurin
mathias.laurin at gmail.com
Fri Oct 26 15:34:38 EDT 2018
Hello Python Dev,
I posted the following to python-ideas but here may be
a more suitable place. I apologize if cross posting
bothers anyone.
I have implemented an (I believe) PEP 543-conform TLS library
and released TLS support in the latest version yesterday:
https://github.com/Synss/python-mbedtls/tree/0.13.0
https://pypi.org/project/python-mbedtls/0.13.0/
As far as I know, I am the first one to follow PEP 543. So one
point is that the API works. However, I have a couple of
questions regarding the PEP:
- I do not know what to do in `TLSWrappedBuffer.do_handshake()`.
The full TLS handshake requires writing to the server, reading
back, etc., (ClientHello, ServerHello, KeyExchange, etc.),
which cannot be accomplished in a single buffer.
For now, I am doing the handshake in
`TLSWrappedSocket.do_handshake()`: I set the BIO to using the
socket directly, then perform the handshake on the socket thus
entirely bypassing the TLSWrappedBuffer. Once this is done, I
swap the BIO to using the buffer and go on encrypting and
decrypting from the buffer. That is, the encrypted
communication is buffered.
- The PEP sometimes mentions an "input buffer" and an "output
buffer", and some other times just "the buffer". I believe
that both implementations are possible. That is, with two
different buffers for input and output, or a single one.
I have implemented it with a single circular buffer (that is a
stream after all). What the PEP is expecting is nonetheless
not clear to me.
So, can anybody clarify these two points from the PEP?
Or should I just address Cory Benfield (who does not seem very
active anymore lately) and Christian Heimes directly?
Cheers,
Mathias
More information about the Python-Dev
mailing list