socketmodule ssl: server & thread

[jhatala]

BPO	452110
Nosy	@gvanrossum
Files	python-2.2a3-socket-ssl-2.patch: enhanced patch against 2.2a3 socketmodule-sslserver.patch: patch against 2.1, works with 2.2a1 too

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2001-10-22.13:51:53.000>
created_at = <Date 2001-08-17.15:10:01.000>
labels = ['library']
title = 'socketmodule ssl: server &amp; thread'
updated_at = <Date 2001-10-22.13:51:53.000>
user = 'https://bugs.python.org/jhatala'

bugs.python.org fields:

activity = <Date 2001-10-22.13:51:53.000>
actor = 'ghaering'
assignee = 'jhylton'
closed = True
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2001-08-17.15:10:01.000>
creator = 'jhatala'
dependencies = []
files = ['3536', '3537']
hgrepos = []
issue_num = 452110
keywords = ['patch']
message_count = 8.0
messages = ['37346', '37347', '37348', '37349', '37350', '37351', '37352', '37353']
nosy_count = 4.0
nosy_names = ['gvanrossum', 'jhylton', 'ghaering', 'jhatala']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue452110'
versions = []

[jhatala]

Simple enhancement to the SSL support in module socket
:

• support for writing SSL servers (as well as clients)
• Py_*_ALLOW_THREADS arround blocking calls to openssl
• rsa temp key to work with older export netscape
• renamed attribute server to peer

This patch allows for powerfull application servers
like the following one to be accessed with "netscape
https://localhost:1443/"

from socket import *
p=socket(AF_INET,SOCK_STREAM)
p.bind(('localhost',1443))
p.listen(1)
while 1 :
        s,a = p.accept()
        c = sslserver(s,'server.key','server.crt')
        print "They said:", c.read()
        c.write('HTTP/1.0 200 OK\r\n')
        c.write('Content-Type: text/plain\r\n\r\n** Hi!
**')
        c.close()

TODO: a kind of makefile() on the ssl object like on a
socket would be welcome.

Have fun,

jh

[gvanrossum]

Logged In: YES
user_id=6380

Nice, but where's the documentation? (Thanks for the
docstrings though!) And the test suite?

[jhylton]

Logged In: YES
user_id=31392

Jozef-- are you going to contribute tests and documentation?

[jhatala]

Logged In: YES
user_id=300564

I'll submit a simple test with certificates and an enhanced
patch for 2.2a2 (does not patch cleanly any more) soon (this
week) [time and inet access issues].
I haven't written any doc. There was none for ssl. I know
that is no excuse...
Does some-one volonotere?

[jhylton]

Logged In: YES
user_id=31392

If you can provide test cases, I'll provide documentation.
But hurry, if we don't get this done this week, we may miss
Python 2.2.

[jhatala]

Logged In: YES
user_id=300564

This patch now against Python 2.2a3 contains:
SSL server support (SSL_accept) [as before]
additionally:
allow threads around getaddrinfo &Co.
more verbose exc messages (for failures in ssl() and sslserver())
methods recv and send on ssl object as equivalents of read and write.
methods makefile on ssl object (a look-alike and does no dup!)
a client/server test (depends on os.fork())

[gvanrossum]

Logged In: YES
user_id=6380

Time to look at this again?

[ghaering]

Logged In: YES
user_id=163326

I don't think it is a good idea to add this. Python's
builtin client-side SSL support is already pretty weak. This
patch would add a minimal SSL server implementation, but it
shares some of the same weaknesses, like missing the ability
to set the SSL method (version 2, version 3, version 2 or
3). I'd recommend not adding any more SSL features at this
point, but for Python 2.2 only keeping the existing
client-side functionality and fixing any remaining bugs there.

I'm working on something that would hopefully be better in
the longrun: an SSL API that the various Python SSL modules
(m2crypto, POW, pyOpenSSL) can implement and Python will
then use one of these third-party modules for https,
smtp/tls etc. Sort of a plugin ability for an SSL module.
If you add stuff to the broken SSL API now, you'll either
have to carry it around for a long time or, if my proposal
get implemented and accepted, the workarounds will be clunkier.