[Security-sig] Unified TLS API for Python: Round 2
Nathaniel Smith
njs at pobox.com
Thu Jan 26 05:49:28 EST 2017
On Thu, Jan 26, 2017 at 1:50 AM, Cory Benfield <cory at lukasa.co.uk> wrote:
>
>> On 26 Jan 2017, at 07:49, Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>> Option 4: tls.TLSError, tls.WantReadError, tls.WantWriteError are
>> defined as inheriting from ssl.SSLError, ssl.SSLWantReadError, and
>> ssl.SSLWantWriteError *if* the latter are defined
>>
>> Option 5: as with Option 4, but the "ssl" module is also changed such
>> that it *always* defines at least ssl.SSLError, ssl.SSLWantReadError,
>> and ssl.SSLWantWriteError (and perhaps some of the other APIs that can
>> be emulated atop the new tls abstraction), even if OpenSSL itself is
>> unavailable
>
> Here’s my problem with this:
>
> try:
> socket.recv(8192)
> except tls.WantWriteError:
> socket.write(some_buffer)
>
> This code does not work with the legacy ssl module, because isinstance(ssl.SSLWantWriteError, tls.WantWriteError) is false. This means that we need to write a shim over the legacy ssl module that wraps *all* API calls, catches all exceptions and then translates them into subclasses of the tls error classes. That seems entirely batty to me.
It seems like the simplest effective solution to these problems would
be for ssl in 3.7 to do
ssl.py:
from tls import TLSError as SSLError, WantWriteError as
SSLWantWriteError, WantReadError as SSLWantReadError
and then legacy code that catches SSLWant{Write,Read}Error will be
automatically ported forward to the new TLS world. And in the
backported version of the tls module for older Pythons, we could have
it do the reverse to accomplish a similar effect (at the cost of
importing ssl -- but this seems unavoidable in old-Python):
tls.py:
from ssl import SSLError as TLSError, SSLWantWriteError as
WantWriteError, SSLWantReadError as WantReadError
There's really no case where it's important to distinguish these, right?
-n
--
Nathaniel J. Smith -- https://vorpus.org
More information about the Security-SIG
mailing list