This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, njs, steve.dower
Date 2021-04-21.07:59:52
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1618991993.39.0.313806581209.issue43902@roundup.psfhosted.org>
In-reply-to
Content
Python's ssl module exposes a limited and opinionated set of knobs to tune OpenSSL's behavior. Each new setter, getter, or function must be carefully design, tested, and documented. For each feature OpenSSL's C API must be converted into a Pythonic, self-explanatory interface.

I would like to give experts and power users an interface to set advanced options. libffi-based solutions like ctypes and cffi are obvious choices. For libffi to work, users need to be able to get the address of ssl.SSLContext()'s SSL_CTX pointer and the SSL* pointer of the internal _SSLSocket object.

While it's possible to use pointer arithmetic with id(ctx) + offset, I would like to add a more convenient way. Pointer arithmetic with ctypes is non-trivial. Users would have to rely on internal, private layout of PySSLContext and PySSLSocket struct. I'm considering two new methods ctx._ssl_ctx_addr and ssl._ssl_addr (names are tentative).

>>> import ssl, ctypes
>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
>>> libssl = ctypes.CDLL("libssl.so.1.1")  # ssl._ssl.__file__ works, too
>>> libssl.SSL_CTX_set_ciphersuites(ctx._ssl_ctx_addr(), b"TLS_CHACHA20_POLY1305_SHA256")
1

Steve, Nathaniel, how do you like the idea in general? Do you have better ideas for function names?
History
Date User Action Args
2021-04-21 07:59:53christian.heimessetrecipients: + christian.heimes, njs, steve.dower
2021-04-21 07:59:53christian.heimessetmessageid: <1618991993.39.0.313806581209.issue43902@roundup.psfhosted.org>
2021-04-21 07:59:53christian.heimeslinkissue43902 messages
2021-04-21 07:59:52christian.heimescreate