[Python-Dev] Python stdlib ssl.SSLContext is missing mode setting ability
Ben Bangert
ben at groovie.org
Wed Nov 18 22:53:14 EST 2015
In Python 2 and 3, the ssl module's SSLContext object has a way to set
SSL options, but not to set SSL modes.
The set_mode command and some of the available modes:
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html
The most critical mode is SSL_MODE_RELEASE_BUFFERS, which can drop the
SSL overhead *per connection* from around 25kb to ~7kb. The pyopenssl
library allows the setting of SSLContext modes, it seems very odd that
the Python 2/3 ssl modules do not. Though I could understand that
perhaps not all SSL libraries Python might build against would have
this mode thing available.
(BoringSSL sets this mode by default its considered such an obvious win)
If there is some way to set this I happened to miss, apologies, I only
went looking through the docs for it, not the code.
On a side-note, in my testing, Python 3.4 had about 20kb/connection of
overhead for using SSL, but Python 3.5 jumped to 30kb/connection of
SSL overhead. These numbers for SSL overhead are far too high for any
reasonable use of Python+SSL on highly concurrent systems. Test repo
for testing SSL overhead here:
https://github.com/bbangert/ssl-ram-testing/
Cheers,
Ben
More information about the Python-Dev
mailing list