[Python-Dev] More on server-side SSL support
Bill Janssen
janssen at parc.com
Wed Aug 22 17:17:30 CEST 2007
For those of you following along at home, there's now a patch at
http://bill.janssen.org/python/ssl-update-diff which applies against
the current trunk. Working code, though I still need to tweak some
import statements for backwards compatibility. I've started updating
the test suite, see Lib/test_ssl.py. I'd appreciate review and
comments.
Note that the suggested use of the newer code is to
import ssl, socket
conn = ssl.sslsocket(socket.socket())
Using the older
import socket
conn = socket.ssl(socket.socket())
still works for backwards compatibility (same restrictions:
client-side only, no verification of server cert, SSLv23). However,
the object returned from this call is not the older C-implemented SSL
object, but rather an instance of ssl.sslsocket (which supports the
same read() and write() calls). Should I return the C SSL object,
instead?
Bill
> > I view TLS as a wrapper around / layer on top of TCP, and so I think the
> > API should look like, as well.
>
> I think Martin raises a valid point here, which should at least be
> discussed more thoroughly. Should there be an "SSL socket", which is
> just like a regular socket? Does that really provide any additional
> functionality to anyone? Most apps and classes that use TCP sockets
> wrap the socket with socket._fileobject() to get "read" and "write",
> anyway -- can't they just wrap it with socket.ssl instead?
>
> Perhaps in the sprint, I should just concentrate on widening the
> "socket.ssl" interface a bit, and improving the functionality of the
> SSLObject a bit.
>
> Suggested improvements:
>
> * Allow server-side operation.
>
> * Allow specification of particular SSL protocol version.
>
> * Allow certificate validation. This is a bit tricky; typically
> certs are validated against some database of root certificates, so you
> need a whole infrastructure to maintain that database. Currently, we
> don't have one, so no certs can be validated. We could add a switch
> to allow auto-validation of self-signed certs pretty easily. I could
> add a parameter to the SSLObject constructor which would be a filepath
> for a file full of root certs (see SSL_CTX_load_verify_locations(3ssl)).
>
> * Add a method to retrieve the other side's certificate info. What's
> a good format for the "notBefore" and "notAfter" dates? The simplest
> thing to use is the string formatting OpenSSL provides, which is
> always like "Sep 29 16:38:04 2006 GMT", which can easily be parsed
> by the time.strptime() function if the user wants something else.
> On the other hand, figuring out how to use strptime() is always a
> pain, so providing a convenience function wouldn't be a terrible idea.
>
> * Add a shutdown() method to stop using SSL on the underlying socket
> without closing the socket.
>
> * Make SSLObject conform to the Raw I/O API in PEP 3116. This one is
> interesting; what should close() do? Close the underlying socket? Or
> just do an SSL shutdown?
>
> Bill
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/janssen%40parc.com
More information about the Python-Dev
mailing list