Issue 28085: SSL: Add client and server protocols for SSLContext - Python tracker

classification

Title:	SSL: Add client and server protocols for SSLContext
Type:	enhancement	Stage:	resolved
Components:	Extension Modules, SSL	Versions:	Python 3.7, Python 3.6

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:	christian.heimes	Nosy List:	christian.heimes, python-dev
Priority:	normal	Keywords:

Created on 2016-09-11 21:54 by christian.heimes, last changed 2017-09-06 16:46 by christian.heimes. This issue is now closed.

Messages (4)
msg275862 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2016-09-11 21:54
In ticket #28022 and in thread https://mail.python.org/pipermail/python-dev/2016-September/146366.html I discussed two new protocols for SSLContext: PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER. A SSLContext with PROTOCOL_TLS_CLIENT can only create connections to a server but cannot wrap server sockets. We can use it to have better defaults (e.g. cert validation and hostname verification for client side) and to make it impossible to confuse a server context with a client context. In the long run I'm planning to deprecate all but PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER. --- Finally (and this is the biggest) I like to change how the protocols work. OpenSSL 1.1.0 has deprecated all version specific protocols. Soon OpenSSL will only support auto-negotiation (formerly known as PROTOCOL_SSLv23). My patch #26470 added PROTOCOL_TLS as alias for PROTOCOL_SSLv23. If the last idea is accepted I will remove PROTOCOL_TLS again. It hasn't been released yet. Instead I'm going to add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER (see https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_new.html TLS_server_method(), TLS_client_method()). PROTOCOL_TLS_CLIENT is like PROTOCOL_SSLv23 but only supports client-side sockets and PROTOCOL_TLS_SERVER just server-side sockets. In my experience we can't have a SSLContext with sensible and secure settings for client and server at the same time. Hostname checking and cert validation is only sensible for client-side sockets. ---
msg275866 - (view)	Author: Roundup Robot (python-dev)	Date: 2016-09-11 22:02
New changeset 3ea641343244 by Christian Heimes in branch 'default': Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext https://hg.python.org/cpython/rev/3ea641343244
msg275871 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2016-09-11 22:09
I pushed basic support for PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER in 3ea641343244. I have another patch that removes PROTOCOL_TLS again and changes create_default_context() to return either a server and client SSLContext. The change is a small possibility to break code that used the create_default_context() in a wrong way.
msg301480 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2017-09-06 16:46
The issue is resolved. I'll address the other PROTOCOL constants in my upcoming PEP.

History
Date	User	Action	Args
2017-09-06 16:46:48	christian.heimes	set	status: open -> closed resolution: fixed messages: + msg301480 stage: patch review -> resolved
2016-09-15 07:48:54	christian.heimes	set	components: + SSL
2016-09-11 22:09:45	christian.heimes	set	messages: + msg275871
2016-09-11 22:02:01	python-dev	set	nosy: + python-dev messages: + msg275866
2016-09-11 21:54:39	christian.heimes	create