Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Python: Dev

evolving the SSL module API

  

 
Python dev RSS feed   Index | Next | Previous | View Threaded


janssen at parc

Sep 10, 2009, 12:01 PM

Post #1 of 3 (495 views)
Permalink
evolving the SSL module API
Heikki, I'm OK with this, too. would you like to propose an extended
API for the SSL module? That would give us a starting point to talk
about.

This should probably be a PEP, just for the sake of writing things down.

As you say, the hostname checking feature seems to me possibly
appropriate for some application protocols, though it's made the use of
HTTPS as a transport-level protocol unnecessarily confusing and buggy.
I don't see putting that into the SSL module as a default, but perhaps a
utility function in that module, to check a server-side cert against a
hostname, is a good idea.

Bill


Heikki Toivonen <htoivonen [at] spikesource> wrote:

> Bill Janssen wrote:
> > OK, seems reasonable. Thanks. In the near term, can you do this with
> > M2Crypto or PyOpenSSL?
> >
> > When I started this update in 2007, we were trying to keep the API
> > simple to avoid confusing people and avoid competition with the two
> > full-fledged toolkits out there. But I don't see any real reason not to
> > extend the API a bit.
>
> Speaking as the M2Crypto maintainer, I don't mind the stdlib competing
> with M2Crypto/getting better at SSL. In fact, I would actually like to
> see the stdlib SSL implementation getting good enough so that people
> would not need M2Crypto for SSL (except maybe in special circumstances).
> There is much M2Crypto does besides SSL so this wouldn't even obsolete it.
>
> One of the main things IMO missing from stdlib SSL implementation is
> hostname checking by default (with override option), but I know you and
> I have different opinions on this. I would be happy to provide patches
> against the stdlib SSL implementation for some things M2Crypto does that
> the stdlib SSL module is missing if we could agree on the
> features/design first. Simple is good, but I'd like the defaults to be
> secure and commonly overridden things to be overrideable.
>
> --
> Heikki Toivonen
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev [at] python
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/janssen%40parc.com

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com


jnoller at gmail

Sep 10, 2009, 12:17 PM

Post #2 of 3 (451 views)
Permalink
Re: evolving the SSL module API [In reply to]
There's also the patch to httplib that Devin Cook has been working on
for SSL enhancements, some of which do name checking. He's got most of
a patch completed.

On Thu, Sep 10, 2009 at 3:01 PM, Bill Janssen <janssen [at] parc> wrote:
> Heikki, I'm OK with this, too.  would you like to propose an extended
> API for the SSL module?  That would give us a starting point to talk
> about.
>
> This should probably be a PEP, just for the sake of writing things down.
>
> As you say, the hostname checking feature seems to me possibly
> appropriate for some application protocols, though it's made the use of
> HTTPS as a transport-level protocol unnecessarily confusing and buggy.
> I don't see putting that into the SSL module as a default, but perhaps a
> utility function in that module, to check a server-side cert against a
> hostname, is a good idea.
>
> Bill
>
>
> Heikki Toivonen <htoivonen [at] spikesource> wrote:
>
>> Bill Janssen wrote:
>> > OK, seems reasonable.  Thanks.  In the near term, can you do this with
>> > M2Crypto or PyOpenSSL?
>> >
>> > When I started this update in 2007, we were trying to keep the API
>> > simple to avoid confusing people and avoid competition with the two
>> > full-fledged toolkits out there.  But I don't see any real reason not to
>> > extend the API a bit.
>>
>> Speaking as the M2Crypto maintainer, I don't mind the stdlib competing
>> with M2Crypto/getting better at SSL. In fact, I would actually like to
>> see the stdlib SSL implementation getting good enough so that people
>> would not need M2Crypto for SSL (except maybe in special circumstances).
>> There is much M2Crypto does besides SSL so this wouldn't even obsolete it.
>>
>> One of the main things IMO missing from stdlib SSL implementation is
>> hostname checking by default (with override option), but I know you and
>> I have different opinions on this. I would be happy to provide patches
>> against the stdlib SSL implementation for some things M2Crypto does that
>> the stdlib SSL module is missing if we could agree on the
>> features/design first. Simple is good, but I'd like the defaults to be
>> secure and commonly overridden things to be overrideable.
>>
>> --
>>   Heikki Toivonen
>>
>> _______________________________________________
>> Python-Dev mailing list
>> Python-Dev [at] python
>> http://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe: http://mail.python.org/mailman/options/python-dev/janssen%40parc.com
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev [at] python
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com
>
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com


devin.c.cook at gmail

Sep 10, 2009, 2:00 PM

Post #3 of 3 (446 views)
Permalink
Re: evolving the SSL module API [In reply to]
Yes, my patch implements hostname checking in httplib (although I
haven't had time to do much testing). I also made the documentation
changes, but have not yet created any test cases since there really
aren't any HTTPS test cases in the test_httplib.py file (which is
probably another issue that needs attention).

We had talked a month or two back about including hostname checking in
the ssl module, but the consensus seemed to be that it doesn't belong
there.

Personally, I would like to see it make it into the ssl module, as
that would mean all the modules that use the ssl module (httplib,
etc.) wouldn't have to write their own (and it isn't very
straightforward... lots of different RFCs involved). Just my 2 cents.

-Devin

On Thu, Sep 10, 2009 at 3:17 PM, Jesse Noller <jnoller [at] gmail> wrote:
> There's also the patch to httplib that Devin Cook has been working on
> for SSL enhancements, some of which do name checking. He's got most of
> a patch completed.
>
> On Thu, Sep 10, 2009 at 3:01 PM, Bill Janssen <janssen [at] parc> wrote:
>> Heikki, I'm OK with this, too.  would you like to propose an extended
>> API for the SSL module?  That would give us a starting point to talk
>> about.
>>
>> This should probably be a PEP, just for the sake of writing things down.
>>
>> As you say, the hostname checking feature seems to me possibly
>> appropriate for some application protocols, though it's made the use of
>> HTTPS as a transport-level protocol unnecessarily confusing and buggy.
>> I don't see putting that into the SSL module as a default, but perhaps a
>> utility function in that module, to check a server-side cert against a
>> hostname, is a good idea.
>>
>> Bill
>>
>>
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

Python dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.