[Security-sig] Unified TLS API for Python

Cory Benfield cory at lukasa.co.uk
Wed Jan 11 15:16:12 EST 2017


> On 11 Jan 2017, at 19:36, Christian Heimes <christian at cheimes.de> wrote:
> 
> Since this function is only required for TLS servers and TLS client cert
> authentication, I'd rather mark this function provisional or not define
> it in the first version.

Is that the best option? Will there be any TLS implementation that cannot meet a stripped down version of this function’s requirements? If we can achieve a minimum viable approach whereby 80% of the use-case (unencrypted/encrypted certs on disk) can be met, I’d like to be able to meet it.

>>        @abstractmethod
>>        def set_ciphers(self, ciphers: List[Ciphers]) -> None:
>>            """
>>            Set the available ciphers for TLS connections created with this
>>            context. ``ciphers`` should be a list of ciphers from the
>>            ``Cipher`` registry. If none of the ``ciphers`` provided to this
>>            object are supported or available, a ``TLSError`` will be raised.
>>            """
> 
> Implementors should initial context with sensible default settings,
> preferable system-wide settings. For example Fedora is currently
> implementing https://fedoraproject.org/wiki/Changes/CryptoPolicy <https://fedoraproject.org/wiki/Changes/CryptoPolicy> for
> OpenSSL, NSS and GnuTLS.

Is this an additional requirement to create_default_context, which should presumably be able using this API to do sensible things?

>>        @abstractmethod
>>        def wrap_buffers(self, incoming: Any, outgoing: Any,
>>                         server_side=False: bool,
>>                         server_hostname=None: Optional[str]) -> TLSWrappedBuffer:
>>            """
>>            Wrap a pair of buffer objects (``incoming`` and ``outgoing``) to
>>            create an in-memory stream for TLS. The SSL routines will read data
>>            from ``incoming`` and decrypt it, and write encrypted data to
>>            ``outgoing``.
>> 
>>            The ``server_side`` and ``server_hostname`` parameters have the
>>            same meaning as in ``wrap_socket``.
>>            """
> 
> 
> How about not defining this methods at all? IMO it makes no sense to
> support client and server connections from the same context. This is
> also the gist of a PEP I'm currently working on.

When you say “not defining this at all”, do you mean not using “server_side”? Because we definitely need the some wrap methods.

> Cipher suites are going to be a mess! Too bad OpenSSL and GnuTLS do not
> use IANA names. :( It should be good enough to focus on a subset and use
> the wire protocol values as internal identifiers.
> 
> https://raw.githubusercontent.com/tiran/tlsdb/master/tlsdb.json <https://raw.githubusercontent.com/tiran/tlsdb/master/tlsdb.json>
Yeah, I was thinking an enum with values, which give us the advantage of a strongly-typed API as well as giving sensible internal identifiers.

Cory

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170111/beeb31b1/attachment-0001.html>


More information about the Security-SIG mailing list