Message 101986 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	cbay
Recipients	cbay, giampaolo.rodola, janssen, pitrou, r.david.murray, vstinner
Date	2010-03-31.09:26:16
SpamBayes Score	5.62983e-06
Marked as misclassified	No
Message-id	<1270027580.78.0.0986147628582.issue8240@psf.upfronthosting.co.za>
In-reply-to

Content
I had a look at how M2Crypto and pyOpenSSL handled this: - M2Crypto has wrappers around SSL_set_mode that let you set the modes you want. From their changelog [1], it was required to be able to operate with Twisted. By default, though, they only set SSL_MODE_AUTO_RETRY. - pyOpenSSL enables everything by default, and there's no set_mode wrapper. Here is the relevant code: /* Some initialization that's required to operate smoothly in Python */ SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE \| SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER \| SSL_MODE_AUTO_RETRY); I don't see any other possible alternative. I'm not sure which one is better. Implementing a set_mode wrapper with no mode set by default has no compatibility issues, although we'd still have that 'bad write retry' OpenSSL error. On the other hand, setting SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default is easy but we lose some security (and, possibly, some compatibility problems, although I doubt anyone relies on the 'bad write retry' error). What do you think? I'd be ready to write the patch for the set_mode wrapper if you want.

I had a look at how M2Crypto and pyOpenSSL handled this:

 - M2Crypto has wrappers around SSL_set_mode that let you set the modes you want. From their changelog [1], it was required to be able to operate with Twisted. By default, though, they only set SSL_MODE_AUTO_RETRY.

 - pyOpenSSL enables everything by default, and there's no set_mode wrapper. Here is the relevant code:

/* Some initialization that's required to operate smoothly in Python */
SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
                            SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                            SSL_MODE_AUTO_RETRY);

I don't see any other possible alternative. I'm not sure which one is better. Implementing a set_mode wrapper with no mode set by default has no compatibility issues, although we'd still have that 'bad write retry' OpenSSL error.

On the other hand, setting SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default is easy but we lose some security (and, possibly, some compatibility problems, although I doubt anyone relies on the 'bad write retry' error).

What do you think? I'd be ready to write the patch for the set_mode wrapper if you want.

History
Date	User	Action	Args
2010-03-31 09:26:21	cbay	set	recipients: + cbay, janssen, pitrou, vstinner, giampaolo.rodola, r.david.murray
2010-03-31 09:26:20	cbay	set	messageid: <1270027580.78.0.0986147628582.issue8240@psf.upfronthosting.co.za>
2010-03-31 09:26:18	cbay	link	issue8240 messages
2010-03-31 09:26:17	cbay	create