[Security-sig] Unified TLS API for Python
Christian Heimes
christian at cheimes.de
Wed Jan 11 14:49:13 EST 2017
On 2017-01-11 20:01, Cory Benfield wrote:
> Socket
> ~~~~~~
>
> The socket-wrapper ABC will be defined by the ``TLSWrappedSocket`` ABC, which
> has the following definition::
>
> class TLSWrappedSocket(metaclass=ABCMeta):
> # The various socket methods all must be implemented. Their definitions
> # have been elided from this class defintion in the PEP because they
> # aren't instructive.
I sent my first mail too early and forgot three things.
Python's ssl module has additional weird modes. It's possible to create
an unconnected SSLSocket and later connect it.
Pseudo code:
s1 = socket.socket()
s2 = context.wrap_socket(s1)
s2.connect((host, port))
AFAIK PyOpenSSL doesn't support this mode. How do we deal with
unconnected sockets, UDP/DTLS and other transports? Are sockets limited
to AF_INET / AF_INET6 and SOCK_STREAM?
In the not-so-distant future SRV-ID validation will become relevant. In
order to support dNSName, IPAddress, and SRV-ID validation, the TLS
socket needs the hostname (if available), IP address, port and service
type (e.g. http, ldap, xmpp-server, ...).
For hostname validation we should also define how we are going to deal
with encodings. Is the hostname always a IDN U-label, A-label or can it
be both?
Christian
More information about the Security-SIG
mailing list