Beefing up socket.ssl(...)

Ed Phillips ed at UDel.Edu
Fri Jul 25 16:22:17 EDT 2003 

On Fri, 25 Jul 2003, Skip Montanaro wrote:

>     Ed> From looking at Modules/socketmodule.c in 2.2.2 and 2.2.3, it
>     Ed> appears that only a tiny bit of support for SSL has been added.
>     Ed> Specifically, unless I'm misunderstanding the operation of the code,
>     Ed> there's no way to verify the certificate presented by a server.
>
> Note that since 2.2.3 is just a bugfix release, you shouldn't expect any
> increase in functionality.  I'm mildly surprised that you noticed any
> functional changes between 2.2.2 and 2.2.3.

Sorry, I didn't mean to imply they were different... I just meant that I
looked at them both (not realizing they should be the same except for bug
fixes).  By "only a tiny bit of support for SSL has been added", I meant
"... to Python in general as of 2.2.2 and 2.2.3".

> I suggest you take 2.3c2 out for a spin and see if it has more of the
> features you're after.  (2.3final is due out by the end of the month.)

Hmmmm... well, I guess I can take a look at socketmodule.c in 2.3c2 and
see if it's any different than previous versions as far as the amount of
SSL functionality goes.

> In any case, if you have patches to submit, please use SourceForge and
> note that any functional improvements will be targetted at 2.4 at this
> point. You can find more about patch submission at the Patch Submission
> Guidelines page:
>
>      http://www.python.org/patches/

I'm not sure whether this "functional change" would be considered a "bug
fix" or "feature addition".  The SSL support in socketmodule.c seems to be
lacking almost to the point of being "unusable"... I can't imagine anyone
actually using it for anything "real" in it's current state, and in that
sense, it may be legitimate to call my changes a "bug fix".

I guess I could attack it either way.  I could modify the existing
socket.ssl() pieces to work "better" (at least in the normal "act like a
web browser and verify server certs" sense), or I could add new
"features".  It might be nice to have a socket.sslclient() method that
would verify the server cert and optionally authenticate with a client
certificate (although the client auth part is probably out of my league at
this point), along with a socket.sslserver() method which would perform
the normal server-side SSL duties.

Or I could just hack on socketmodule.c with every new Python release and
hope that someone eventually adds better SSL support.  Anyone working on
that already?

Thanks,

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the Python-list mailing list