[issue45567] Support TLS Encrypted ClientHello (ECH)
Christian Heimes
report at bugs.python.org
Fri Oct 22 06:41:35 EDT 2021
Christian Heimes <lists at cheimes.de> added the comment:
Thanks for filing this feature request!
The DNS lookup part is out of scope for the ssl module. I don't want to get into the DNS business. At $WORK I work on BIND, DNSSEC and DNS over TLS. Secure DNS (and DNS in general) is already complicated when you control the entire stack and only have to deal with one family of Linux distros. AFAIK there isn't even a platform-independent way to perform lookups with abitrary RRTYPEs. res_nquery() is only available on some platforms and doesn't work reliable with some libcs. I have had issues with EDNS0 on musl in the past. KRB5KDC SRV looks with large responses where unreliable. Let's offload the DNS part of consumers of the ssl module. They can use python-dns or c-ares.
The ECH part and callback look sensible, though. I'll include the APIs as soon as OpenSSL support them.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue45567>
_______________________________________
More information about the Python-bugs-list
mailing list