[Security-sig] Unified TLS API for Python

Christian Heimes christian at cheimes.de
Thu Jan 12 14:13:53 EST 2017


On 2017-01-12 18:07, Wes Turner wrote:
> 
> 
> On Thursday, January 12, 2017, Cory Benfield <cory at lukasa.co.uk
> <mailto:cory at lukasa.co.uk>> wrote:
> 
> 
>>     On 11 Jan 2017, at 21:44, Wes Turner <wes.turner at gmail.com
>>     <javascript:_e(%7B%7D,'cvml','wes.turner at gmail.com');>> wrote:
>>
>>     This may be a bit of a different use case (and possibly worth
>>     having in the first version of a new tls module):
>>
>>     "Hitless TLS Certificate Rotation in Go"
>>     https://diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/
>>     <https://diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/>
>>
>>     - Can/could this be done with only set_sni_callback ?
> 
>     Yes, it can be. Twisted has an extension module, txsni, that uses
>     the SNI callback to choose which certificate to provide.
> 
> 
> https://github.com/glyph/txsni
>  
> 
>      This is basically identical to the Go GetCertificate callback function.
> 
> 
> There's more config than just the cert, though. There are really two
> reqs mentioned: SNI (Server Name Indication), and "hot" TLS config
> detection/selection:
> 
> """
> The idea is to allow an administrator to force the whole cluster to
> migrate away from an old root CA transparently, removing its existence
> from the trust stores of all the nodes participating in the Swarm. This
> means that we need control over the whole TLS config, instead of
> controlling only which certificate is currently being served.
> """
> '""
> We chose to create a MutableTLSCreds
> <https://github.com/docker/swarmkit/blob/master/ca/transport.go> struct,
> which implements this TransportCredentials
> <https://godoc.org/google.golang.org/grpc/credentials> interface and
> allows the caller to simply change the TLS Config by
> calling |LoadNewTLSConfig|.
> """
> 
> IIUC, we'd currently have to create a new context to change any config
> other than the cert?

Such advanced features are out-of-scope for the PEP. Please remember
that any additional features makes it way more complicated for
implementers. Personally I would rather remove half of the PEP than add
new things. For pip, requests, and similar libraries only a subset of
the features are really required:

* ClientContext.wrap_socket()
* a function like create_default_context() to create a client context
that either loads a CA file or the system's trust store
* TLSError
* TLSWrappedSocket with socket.socket API

Cory likes to define the API the additional features and server-side
TLS. I consider it useful, partly advanced and nice-to-have, but not
mandatory to solve the immediate issue we are facing now. [1]

Let's keep it simple. We can always define an enhanced superset of the
TLS ABC later. But we cannot remove features or change API in an
incompatible way later.

Christian

https://mail.python.org/pipermail/distutils-sig/2017-January/029970.html


More information about the Security-SIG mailing list