[Python-Dev] evolving the SSL module API

Jesse Noller jnoller at gmail.com
Thu Sep 10 21:17:33 CEST 2009 

There's also the patch to httplib that Devin Cook has been working on
for SSL enhancements, some of which do name checking. He's got most of
a patch completed.

On Thu, Sep 10, 2009 at 3:01 PM, Bill Janssen <janssen at parc.com> wrote:
> Heikki, I'm OK with this, too.  would you like to propose an extended
> API for the SSL module?  That would give us a starting point to talk
> about.
>
> This should probably be a PEP, just for the sake of writing things down.
>
> As you say, the hostname checking feature seems to me possibly
> appropriate for some application protocols, though it's made the use of
> HTTPS as a transport-level protocol unnecessarily confusing and buggy.
> I don't see putting that into the SSL module as a default, but perhaps a
> utility function in that module, to check a server-side cert against a
> hostname, is a good idea.
>
> Bill
>
>
> Heikki Toivonen <htoivonen at spikesource.com> wrote:
>
>> Bill Janssen wrote:
>> > OK, seems reasonable.  Thanks.  In the near term, can you do this with
>> > M2Crypto or PyOpenSSL?
>> >
>> > When I started this update in 2007, we were trying to keep the API
>> > simple to avoid confusing people and avoid competition with the two
>> > full-fledged toolkits out there.  But I don't see any real reason not to
>> > extend the API a bit.
>>
>> Speaking as the M2Crypto maintainer, I don't mind the stdlib competing
>> with M2Crypto/getting better at SSL. In fact, I would actually like to
>> see the stdlib SSL implementation getting good enough so that people
>> would not need M2Crypto for SSL (except maybe in special circumstances).
>> There is much M2Crypto does besides SSL so this wouldn't even obsolete it.
>>
>> One of the main things IMO missing from stdlib SSL implementation is
>> hostname checking by default (with override option), but I know you and
>> I have different opinions on this. I would be happy to provide patches
>> against the stdlib SSL implementation for some things M2Crypto does that
>> the stdlib SSL module is missing if we could agree on the
>> features/design first. Simple is good, but I'd like the defaults to be
>> secure and commonly overridden things to be overrideable.
>>
>> --
>>   Heikki Toivonen
>>
>> _______________________________________________
>> Python-Dev mailing list
>> Python-Dev at python.org
>> http://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe: http://mail.python.org/mailman/options/python-dev/janssen%40parc.com
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com
>

More information about the Python-Dev mailing list