[Python-Dev] Backport ssl.MemoryBIO on Python 2.7?

Nick Coghlan ncoghlan at gmail.com
Thu May 25 09:22:39 EDT 2017 

On 25 May 2017 at 21:24, Antoine Pitrou <solipsis at pitrou.net> wrote:
> The new TLS API wouldn't significantly improve security.  It's just a
> different API.

It isn't just a different API. It's an API with *backends for the
native TLS implementations on WIndows and Mac OS X*.

This means that instead of attempting to extract system certs and
inject them into a bundled copy of OpenSSL, it becomes viable to just
use the operating system provided security services and behave the
same was as any other native application (at least as far as secure
network connections are concerned).

Ideally, it would be good to get to a point where we can stop bundling
OpenSSL entirely on Windows and Mac OS X, such that OpenSSL CVEs stop
automatically turning into CPython CVEs, and we can instead delegate
the task of prompt network security stack updates to the OS provider,
the same way we do for non-Apple *nix systems.

Even if it isn't feasible to get Python 2.7 to that happy state by
2020, we may at least be able to get to a point where most routine TLS
connections from Python 2.7 applications are using an OS provided TLS
implementation, so their network security is less dependent on
receiving updates to the Python level components of their stack.

>> I also understood that getting access to system CA allows admins to
>> register their company CA and so avoid that users ignore the TLS warning
>> (unknown CA).
>
> System admins can add the company CA at the system level in the
> system's CA cert store, they have no need for a Python API.  Actually,
> they certainly don't want to modify every Python application to add a
> company CA.

The state of affairs that you're citing as undesirable is pretty much
the way things *currently* work. Most Python applications still won't
see system level certificates on Windows and Mac OS X, and they often
won't see them even on Linux and *BSD systems (unless they're running
directly in the system Python and using the system-provided requests
module (which gets patched to use the system certs rather than the
default Mozilla bundle).

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list