[Security-sig] Unified TLS API for Python

Christian Heimes christian at cheimes.de
Wed Jan 11 15:51:15 EST 2017 

On 2017-01-11 21:16, Cory Benfield wrote:
> 
>> On 11 Jan 2017, at 19:36, Christian Heimes <christian at cheimes.de
>> <mailto:christian at cheimes.de>> wrote:
>>
>> Since this function is only required for TLS servers and TLS client cert
>> authentication, I'd rather mark this function provisional or not define
>> it in the first version.
> 
> Is that the best option? Will there be any TLS implementation that
> cannot meet a stripped down version of this function’s requirements? If
> we can achieve a minimum viable approach whereby 80% of the use-case
> (unencrypted/encrypted certs on disk) can be met, I’d like to be able to
> meet it.

Of course we can solve any problem by adding just another layer of
abstraction! :) In this case it seems preferable and matches my idea for
3.7 improvements. How about you change register_certificates() to accept
a list of certificate instances (sorted from EE, intermediate 1 (issuer
of EE), intermediate 2 (issuer of 1), intermediate 3 ...) and a key
object. The exact nature of a certificate class is implementation specific.

The approach has also the benefit that file to list of certificates is
handled by the certificate class:

class Certificate:
    @abstractclassmethod
    def from_buffer(cls, filename: (str, bytes)) -> List(Certificate):
        pass


    @abstractclassmethod
    def from_file(cls, filename: path) -> List(Certificate):
        pass


>> Implementors should initial context with sensible default settings,
>> preferable system-wide settings. For example Fedora is currently
>> implementing https://fedoraproject.org/wiki/Changes/CryptoPolicy for
>> OpenSSL, NSS and GnuTLS.
> 
> Is this an additional requirement to create_default_context, which
> should presumably be able using this API to do sensible things?

I would rather make the default contexts secure by default without the
need of a secure factory function. set_ciphers() should not be needed at
all to get good settings. Only poor slobs should use set_ciphers() to
enable bad ciphers for broken legacy systems.


> When you say “not defining this at all”, do you mean not using
> “server_side”? Because we definitely need the some wrap methods.

Sorry, I was not precise here. I meant that both wrap methods should be
limited to ClientContext and ServerContext classes. There is no good use
case to have a context that supports both client and server connections.

In Python code:

del _BaseContext.wrap_socket
del _BaseContext.wrap_buffers

:)

Christian

More information about the Security-SIG mailing list