Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL: Add client and server protocols for SSLContext #72272

Closed
tiran opened this issue Sep 11, 2016 · 4 comments
Closed

SSL: Add client and server protocols for SSLContext #72272

tiran opened this issue Sep 11, 2016 · 4 comments
Assignees
Labels
3.7 expert-SSL extension-modules C modules in the Modules dir type-feature A feature request or enhancement

Comments

@tiran
Copy link
Member

tiran commented Sep 11, 2016

BPO 28085
Nosy @tiran

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2017-09-06.16:46:48.982>
created_at = <Date 2016-09-11.21:54:39.271>
labels = ['extension-modules', 'expert-SSL', 'type-feature', '3.7']
title = 'SSL: Add client and server protocols for SSLContext'
updated_at = <Date 2017-09-06.16:46:48.980>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2017-09-06.16:46:48.980>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2017-09-06.16:46:48.982>
closer = 'christian.heimes'
components = ['Extension Modules', 'SSL']
creation = <Date 2016-09-11.21:54:39.271>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 28085
keywords = []
message_count = 4.0
messages = ['275862', '275866', '275871', '301480']
nosy_count = 2.0
nosy_names = ['christian.heimes', 'python-dev']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue28085'
versions = ['Python 3.6', 'Python 3.7']

@tiran
Copy link
Member Author

tiran commented Sep 11, 2016

In ticket bpo-28022 and in thread https://mail.python.org/pipermail/python-dev/2016-September/146366.html I discussed two new protocols for SSLContext: PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER. A SSLContext with PROTOCOL_TLS_CLIENT can only create connections to a server but cannot wrap server sockets. We can use it to have better defaults (e.g. cert validation and hostname verification for client side) and to make it impossible to confuse a server context with a client context. In the long run I'm planning to deprecate all but PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER.

---
Finally (and this is the biggest) I like to change how the protocols
work. OpenSSL 1.1.0 has deprecated all version specific protocols. Soon
OpenSSL will only support auto-negotiation (formerly known as
PROTOCOL_SSLv23). My patch bpo-26470 added PROTOCOL_TLS as alias for
PROTOCOL_SSLv23. If the last idea is accepted I will remove PROTOCOL_TLS
again. It hasn't been released yet. Instead I'm going to add
PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER (see
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_new.html
TLS_server_method(), TLS_client_method()). PROTOCOL_TLS_CLIENT is like
PROTOCOL_SSLv23 but only supports client-side sockets and
PROTOCOL_TLS_SERVER just server-side sockets. In my experience we can't
have a SSLContext with sensible and secure settings for client and
server at the same time. Hostname checking and cert validation is only
sensible for client-side sockets.
---

@tiran tiran added the 3.7 label Sep 11, 2016
@tiran tiran self-assigned this Sep 11, 2016
@tiran tiran added extension-modules C modules in the Modules dir type-feature A feature request or enhancement labels Sep 11, 2016
@python-dev
Copy link
Mannequin

python-dev mannequin commented Sep 11, 2016

New changeset 3ea641343244 by Christian Heimes in branch 'default':
Issue bpo-28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext
https://hg.python.org/cpython/rev/3ea641343244

@tiran
Copy link
Member Author

tiran commented Sep 11, 2016

I pushed basic support for PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER in 3ea641343244. I have another patch that removes PROTOCOL_TLS again and changes create_default_context() to return either a server and client SSLContext. The change is a small possibility to break code that used the create_default_context() in a wrong way.

@tiran
Copy link
Member Author

tiran commented Sep 6, 2017

The issue is resolved. I'll address the other PROTOCOL constants in my upcoming PEP.

@tiran tiran closed this as completed Sep 6, 2017
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.7 expert-SSL extension-modules C modules in the Modules dir type-feature A feature request or enhancement
Projects
None yet
Development

No branches or pull requests

1 participant