Message391498
Python's ssl module exposes a limited and opinionated set of knobs to tune OpenSSL's behavior. Each new setter, getter, or function must be carefully design, tested, and documented. For each feature OpenSSL's C API must be converted into a Pythonic, self-explanatory interface.
I would like to give experts and power users an interface to set advanced options. libffi-based solutions like ctypes and cffi are obvious choices. For libffi to work, users need to be able to get the address of ssl.SSLContext()'s SSL_CTX pointer and the SSL* pointer of the internal _SSLSocket object.
While it's possible to use pointer arithmetic with id(ctx) + offset, I would like to add a more convenient way. Pointer arithmetic with ctypes is non-trivial. Users would have to rely on internal, private layout of PySSLContext and PySSLSocket struct. I'm considering two new methods ctx._ssl_ctx_addr and ssl._ssl_addr (names are tentative).
>>> import ssl, ctypes
>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
>>> libssl = ctypes.CDLL("libssl.so.1.1") # ssl._ssl.__file__ works, too
>>> libssl.SSL_CTX_set_ciphersuites(ctx._ssl_ctx_addr(), b"TLS_CHACHA20_POLY1305_SHA256")
1
Steve, Nathaniel, how do you like the idea in general? Do you have better ideas for function names? |
|
Date |
User |
Action |
Args |
2021-04-21 07:59:53 | christian.heimes | set | recipients:
+ christian.heimes, njs, steve.dower |
2021-04-21 07:59:53 | christian.heimes | set | messageid: <1618991993.39.0.313806581209.issue43902@roundup.psfhosted.org> |
2021-04-21 07:59:53 | christian.heimes | link | issue43902 messages |
2021-04-21 07:59:52 | christian.heimes | create | |
|