Suppose you're writing a library that allows users to make or accept SSL/TLS connections. You use the 'ssl' module, because that's convenient. You need to let your users configure your SSL/TLS connections, and there really isn't any generic abstract way to do that -- SSL/TLS configuration is pretty complicated -- so you let your users set up an ssl.SSLContext and pass it into your API.

Later, you hit a limit in the ssl module and want to switch to PyOpenSSL, or perhaps eventually PEP 543. No problem: just switch what you're doing internally, and use some shim code to take the ssl.SSLContext objects that your users are passing in, and convert that to whatever your new library wants.

Except... ssl.SSLContext objects are almost entirely opaque. You can't read off the ciphers, or the ALPN protocols, or the servername_callback... so you're sunk. Once you expose ssl.SSLContext in your public API, you're stuck using the ssl module forever.

It would be nice if ssl.SSLContext provided getters that let you read off all the different configuration it holds.

I'm considering to add CAPI capsule to the _ssl module. It would allow third parties to get hold of the internal SSL* and SSL_CTX* pointers.

Let's see what's missing:

* alpn_protocols -- OpenSSL doesn't have SSL_CTX_get_alpn_protos(), so we'd have to keep the list around ourselves.
* npn_protocols -- deprecated, I'd rather add a getter
* servername_callback -- simply expose the PyObject* from our struct
* ecdh_curve -- OpenSSL has no getter
* ciphers is covered by https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ciphers It doens't return the cipher string but the actual list of enabled ciphers with some extra metadata.

I opened an issue about missing getters for ALPN protos in OpenSSL 1.1: https://github.com/openssl/openssl/issues/4952

I think we already hold onto the ALPN list internally.

A possibly stickier issue is retrieving certificates, keys, trust db configuration.

For certs and keys I have some plans. You might not be able to get hold of the actual private key bits, but it is always possible to get the public bits and key information.

The trust store information is pretty much opaque and often loaded by demand. https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs and https://docs.python.org/3/library/ssl.html#ssl.get_default_verify_paths is pretty much everything I know how to retrieve. If find more stuff, I'm more than happy to expose it.

Yeah, I'm not entirely sure whether fixing this is actually doable or worthwhile, but figured I should at least make an issue to discuss :-).

The problem is, in the motivating use case of wanting to be able to reliably convert an SSLContext into some other representation, we really need to be able to get 100% of the configuration out. I think the trust configuration can probably be handled in principle by remembering the arguments to any calls to load_verify_locations, so they can be replayed later. But... that won't work for private keys, because if they're password-protected then replaying a call to load_cert_chain will end up prompting for the password twice. So maybe we really would need a way to pull out the actual private key bits. And if we can't do that, then maybe it's not worth stressing about the other stuff either...

Let's see how much we can fix in 3.8. Maybe I'll find enough free time to implement PEP 543 for Python 3.8.