SSL: Add client and server protocols for SSLContext

[tiran]

BPO	28085
Nosy	@tiran

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2017-09-06.16:46:48.982>
created_at = <Date 2016-09-11.21:54:39.271>
labels = ['extension-modules', 'expert-SSL', 'type-feature', '3.7']
title = 'SSL: Add client and server protocols for SSLContext'
updated_at = <Date 2017-09-06.16:46:48.980>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2017-09-06.16:46:48.980>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2017-09-06.16:46:48.982>
closer = 'christian.heimes'
components = ['Extension Modules', 'SSL']
creation = <Date 2016-09-11.21:54:39.271>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 28085
keywords = []
message_count = 4.0
messages = ['275862', '275866', '275871', '301480']
nosy_count = 2.0
nosy_names = ['christian.heimes', 'python-dev']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue28085'
versions = ['Python 3.6', 'Python 3.7']

[tiran]

In ticket bpo-28022 and in thread https://mail.python.org/pipermail/python-dev/2016-September/146366.html I discussed two new protocols for SSLContext: PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER. A SSLContext with PROTOCOL_TLS_CLIENT can only create connections to a server but cannot wrap server sockets. We can use it to have better defaults (e.g. cert validation and hostname verification for client side) and to make it impossible to confuse a server context with a client context. In the long run I'm planning to deprecate all but PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER.

---
Finally (and this is the biggest) I like to change how the protocols
work. OpenSSL 1.1.0 has deprecated all version specific protocols. Soon
OpenSSL will only support auto-negotiation (formerly known as
PROTOCOL_SSLv23). My patch bpo-26470 added PROTOCOL_TLS as alias for
PROTOCOL_SSLv23. If the last idea is accepted I will remove PROTOCOL_TLS
again. It hasn't been released yet. Instead I'm going to add
PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER (see
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_new.html
TLS_server_method(), TLS_client_method()). PROTOCOL_TLS_CLIENT is like
PROTOCOL_SSLv23 but only supports client-side sockets and
PROTOCOL_TLS_SERVER just server-side sockets. In my experience we can't
have a SSLContext with sensible and secure settings for client and
server at the same time. Hostname checking and cert validation is only
sensible for client-side sockets.
---

[python-dev]

New changeset 3ea641343244 by Christian Heimes in branch 'default':
Issue bpo-28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext
https://hg.python.org/cpython/rev/3ea641343244

[tiran]

I pushed basic support for PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER in 3ea641343244. I have another patch that removes PROTOCOL_TLS again and changes create_default_context() to return either a server and client SSLContext. The change is a small possibility to break code that used the create_default_context() in a wrong way.

[tiran]

The issue is resolved. I'll address the other PROTOCOL constants in my upcoming PEP.