[Security-sig] Unified TLS API for Python: Draft 3

Wes Turner wes.turner at gmail.com
Fri Feb 10 12:20:05 EST 2017 

On Fri, Jan 27, 2017 at 9:30 AM, Wes Turner <wes.turner at gmail.com> wrote:

>
>
> On Fri, Jan 27, 2017 at 3:10 AM, Cory Benfield <cory at lukasa.co.uk> wrote:
>
>>
>> On 26 Jan 2017, at 21:17, Donald Stufft <donald at stufft.io> wrote:
>>
>>
>> On Jan 26, 2017, at 4:18 AM, Cory Benfield <cory at lukasa.co.uk> wrote:
>>
>> For this reason I’m inclined to lean towards the more verbose approach of
>> just writing down what all of the cipher suites are in an enum. That way,
>> it gets much easier to validate what’s going on. There’s still no
>> requirement to actually support them all: an implementation is allowed to
>> quietly ignore any cipher suites it doesn’t support. But that can no longer
>> happen due to typos, because typos now cause AttributeErrors at runtime in
>> a way that is very obvious and clear.
>>
>>
>>
>> I’d say additionally that given the verbose approach a third party
>> library could provide this OpenSSL like API and be responsible for
>> “compiling” it down to the actual list of ciphers for input into the
>> verbose API. If one of those got popular and seemed stable enough to add
>> it, we could always add it in later as a higher level API for cipher
>> selection without the backends needing to change anything since the output
>> of such a function would still be a list of all of the desired ciphers
>> which would be the input to the backends.
>>
>>
>> Yup, strongly agreed.
>>
>
> https://github.com/tiran/tlsdb/blob/master/tlsdb.py
>
> - [ ] ENH: tlsdb.py: add parsers/datasources for {SChannel,
> SecureTransport}
>
>   - [x] openssl-master
>   - [x] openssl-1.02
>   - [x] gnutls-master
>   - [x] nss-tip
>   - [x] mod_nss-master
>   - [x] **iana**
>   - [x] mozilla-server-side
>   - [ ] SChannel
>   - [ ] SecureTransport
>
> - [ ] ENH: tlsdb.py: add OpenSSL-workalike lookup method
> - [ ] BLD: tls.config.__: generate Enums?
>

To be clear, I don't have the resources necessary to complete these tasks.
Would these tasks be necessary/helpful?

Reading:
https://github.com/mathiasertl/django-ca/blob/master/requirements.txt

I learned about oscrypto:

- oscrypto: "TLS (SSL) sockets, key generation, encryption, decryption,
signing, verification and KDFs using the OS crypto libraries. Does not
require a compiler, and relies on the OS for patching. Works on Windows, OS
X and Linux/BSD."
  - src: https://github.com/wbond/oscrypto
  - pypi: https://pypi.python.org/pypi/oscrypto
  - docs:
https://github.com/wbond/oscrypto/blob/master/docs/readme.md#modern-cryptography

Is oscrypto useful or relevant to this effort?


>
>>
>> Cory
>>
>> _______________________________________________
>> Security-SIG mailing list
>> Security-SIG at python.org
>> https://mail.python.org/mailman/listinfo/security-sig
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170210/32409699/attachment.html>

More information about the Security-SIG mailing list