Rename ssl.Purpose.{CLIENT,SERVER}_AUTH #73996

alex · 2017-03-14T16:17:50Z

BPO	29810
Nosy	@tiran, @alex, @dstufft

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2017-03-14.16:17:49.536>
labels = []
title = 'Rename ssl.Purpose.{CLIENT,SERVER}_AUTH'
updated_at = <Date 2017-03-14.16:48:50.514>
user = 'https://github.com/alex'

bugs.python.org fields:

activity = <Date 2017-03-14.16:48:50.514>
actor = 'alex'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = []
creation = <Date 2017-03-14.16:17:49.536>
creator = 'alex'
dependencies = []
files = []
hgrepos = []
issue_num = 29810
keywords = []
message_count = 5.0
messages = ['289601', '289604', '289605', '289606', '289607']
nosy_count = 4.0
nosy_names = ['janssen', 'christian.heimes', 'alex', 'dstufft']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = None
url = 'https://bugs.python.org/issue29810'
versions = []

alex · 2017-03-14T16:17:49Z

The names are super misleading. First, they're written in a way that's the opposite of how people think about these things (CLIENT_AUTH -> server socket; SERVER_AUTH -> client socket). Second, they're misleading, you can have TLS which is *mutually* authenticated. Third, CLIENT_AUTH is very frequently used for a server socket where the client isn't authenticated (at the TLS layer) at all!

A simple fix would be to add: Purpose.{CLIENT,SERVER}_SOCKET and alias the old names to those values.

tiran · 2017-03-14T16:38:30Z

For 3.7 I'm planning to move to protocols instead of purpose oids (PROTOCOL_TLS_CLIENT, PROTOCOL_TLS_SERVER).

alex · 2017-03-14T16:40:50Z

Ah, so instead of PROTOCOL_SSLv23 using PROTOCOL_TLS_CLIENT and deprecating the Purpose bits entirely? That sounds good to me!

tiran · 2017-03-14T16:48:30Z

Yes, I'm planning a PEP to make the SSL module a bit more sane:

deprecate all protocols except for PROTOCOL_TLS_CLIENT / PROTOCOL_TLS_SERVER
deprecate purpose in favor of PROTOCOL_TLS_*
PROTOCOL_TLS_CLIENT defaults to CERT_REQUIRED, match_hostname=True

alex · 2017-03-14T16:48:50Z

Sounds good to me!

Rally is a client, so its purpose is to authenticate servers. This means that we should use ssl.Purpose.SERVER_AUTH instead of CLIENT_AUTH, with or without client certs. This is super confusing, see python/cpython#73996. Anyway, in 3.10 making this mistake isn't possible anymore due python/cpython#26646. To make sure this does not break in the future, we also add tests for the IP and client certs cases.

ezio-melotti transferred this issue from another repository Apr 10, 2022

pquentin mentioned this issue May 9, 2022

use_ssl: True broken on Python 3.10 and later elastic/rally#1484

Closed

pquentin mentioned this issue May 20, 2022

Fix use_ssl: True on Python 3.10 elastic/rally#1496

Merged

iritkatriel added the stdlib Python modules in the Lib dir label Nov 27, 2023

vadmium mentioned this issue Feb 11, 2024

Confusing behavior of ssl.create_default_context() #96972

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rename ssl.Purpose.{CLIENT,SERVER}_AUTH #73996

Rename ssl.Purpose.{CLIENT,SERVER}_AUTH #73996

alex commented Mar 14, 2017

alex commented Mar 14, 2017

tiran commented Mar 14, 2017

alex commented Mar 14, 2017

tiran commented Mar 14, 2017

alex commented Mar 14, 2017

Rename ssl.Purpose.{CLIENT,SERVER}_AUTH #73996

Rename ssl.Purpose.{CLIENT,SERVER}_AUTH #73996

Comments

alex commented Mar 14, 2017

alex commented Mar 14, 2017

tiran commented Mar 14, 2017

alex commented Mar 14, 2017

tiran commented Mar 14, 2017

alex commented Mar 14, 2017