[Security-sig] Unified TLS API for Python: Draft 3
Donald Stufft
donald at stufft.io
Thu Jan 26 16:17:43 EST 2017
> On Jan 26, 2017, at 4:18 AM, Cory Benfield <cory at lukasa.co.uk> wrote:
>
> For this reason I’m inclined to lean towards the more verbose approach of just writing down what all of the cipher suites are in an enum. That way, it gets much easier to validate what’s going on. There’s still no requirement to actually support them all: an implementation is allowed to quietly ignore any cipher suites it doesn’t support. But that can no longer happen due to typos, because typos now cause AttributeErrors at runtime in a way that is very obvious and clear.
I’d say additionally that given the verbose approach a third party library could provide this OpenSSL like API and be responsible for “compiling” it down to the actual list of ciphers for input into the verbose API. If one of those got popular and seemed stable enough to add it, we could always add it in later as a higher level API for cipher selection without the backends needing to change anything since the output of such a function would still be a list of all of the desired ciphers which would be the input to the backends.
—
Donald Stufft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170126/3fcc132a/attachment.html>
More information about the Security-SIG
mailing list