introduce PFS

[chrisdlangton]

discussion #1822

[codecov-io]

Codecov Report

Merging #1823 into develop will decrease coverage by 0.02%.
The diff coverage is 100%.

@@             Coverage Diff             @@
##           develop    #1823      +/-   ##
===========================================
- Coverage    92.54%   92.52%   -0.03%     
===========================================
  Files           53       53              
  Lines         9958     9970      +12     
===========================================
+ Hits          9216     9225       +9     
- Misses         742      745       +3

Impacted Files	Coverage Δ
botocore/session.py	98.08% <ø> (ø)	⬆️
botocore/utils.py	97.98% <100%> (ø)	⬆️
botocore/endpoint.py	98.6% <100%> (+0.01%)	⬆️
botocore/args.py	100% <100%> (ø)	⬆️
botocore/client.py	99.76% <100%> (ø)	⬆️
botocore/httpsession.py	92.57% <100%> (+0.12%)	⬆️
botocore/credentials.py	98.5% <0%> (-0.35%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 753b70e...d85f30b. Read the comment docs.

[chrisdlangton]

I've checked each file this PR touches in the codecov reports and all the LOC codecov says are not covered are not any LOC this PR changed...

[chrisdlangton]

code review?
@jamesls
@JordonPhillips
@awstools
@kyleknap
@stealthycoin
@joguSD
@kyleknap

[joguSD]

@chrisdlangton I think at this point trying to offer configuration for every knob in the SSLContext is too much and it's probably a better approach to just allow a custom SSLContext to be passed as a client configuration.

[chrisdlangton]

@joguSD it is curious you mention this, should I also refactor out the use_ssl and expect an end-user to know how to construct the primitives themselves?

no...

that is crazy..

For a framework/library, it is nonsensical to suggest frameworks/libraries should not introduce a feature flag.

This PR is introducing a feature flag so an end-user can simply chose to enforce the feature called pfs (Perfect Forward Secrecy as it is known) which is actually just a select ciphersuite that (few) people actually know the correct options to use to do this (probably why not many people are doing this today, it's damn hard)

So i fundamentally disagree, we should definitely be abstracticting away these extremely complex features behind a feature flag, botocore does this is almost every line of code.. the most analogous feature flag is the use_ssl flag...

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than one year. We encourage you to check if this is still an issue in the latest release. Because it has been longer than one year since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment to prevent automatic closure, or if the issue is already closed, please feel free to reopen it.