Message 232489 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	alex, benjamin.peterson, dstufft, lemburg, r.david.murray
Date	2014-12-11.20:37:59
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<548A00A0.3080909@egenix.com>
In-reply-to	<1418329590.2570749.201827961.6C1B2B49@webmail.messagingengine.com>

Content
> Benjamin Peterson added the comment: > > On Thu, Dec 11, 2014, at 15:24, Marc-Andre Lemburg wrote: >> >> Marc-Andre Lemburg added the comment: >> >> On 11.12.2014 20:42, Benjamin Peterson wrote: >>> >>> Usually you can pass your own context. >> >> Yes, in new code, but not in existing Python 2.7 code that wasn't >> written for the newly added SSL context feature. > > How is modifying code to use a context different from modifying it to > mess around with a hypothetical ssl.DEFAULT_SSL_OPTIONS? Hmm, isn't that obvious ? You only have to add a single line of code to tweak the default options rather than add context support throughout your application. >> BTW: Having a way to change the SSL options globally would be useful >> for Python 3.x as well, since OpenSSL often adds new options and >> it's not unlikely we'll see an OP_NO_TLSv1 option soon, given its >> age and similarity to SSLv3... >> https://www.imperialviolet.org/2014/12/08/poodleagain.html >> (the poodle strikes back ;-)) > > That option already exists and is exposed. :) Right, but it's not used in the current default context. Hard coding options in a function is not a good idea, really, esp. not for things that change as often as cipher strings and protocol options :-)

> Benjamin Peterson added the comment:
> 
> On Thu, Dec 11, 2014, at 15:24, Marc-Andre Lemburg wrote:
>>
>> Marc-Andre Lemburg added the comment:
>>
>> On 11.12.2014 20:42, Benjamin Peterson wrote:
>>>
>>> Usually you can pass your own context.
>>
>> Yes, in new code, but not in existing Python 2.7 code that wasn't
>> written for the newly added SSL context feature.
> 
> How is modifying code to use a context different from modifying it to
> mess around with a hypothetical ssl.DEFAULT_SSL_OPTIONS?

Hmm, isn't that obvious ?

You only have to add a single line of code to tweak the default
options rather than add context support throughout your application.

>> BTW: Having a way to change the SSL options globally would be useful
>> for Python 3.x as well, since OpenSSL often adds new options and
>> it's not unlikely we'll see an OP_NO_TLSv1 option soon, given its
>> age and similarity to SSLv3...
>> https://www.imperialviolet.org/2014/12/08/poodleagain.html
>> (the poodle strikes back ;-))
> 
> That option already exists and is exposed. :)

Right, but it's not used in the current default context.

Hard coding options in a function is not a good idea, really, esp.
not for things that change as often as cipher strings and protocol
options :-)

History
Date	User	Action	Args
2014-12-11 20:38:00	lemburg	set	recipients: + lemburg, benjamin.peterson, alex, r.david.murray, dstufft
2014-12-11 20:38:00	lemburg	link	issue22866 messages
2014-12-11 20:37:59	lemburg	create