Cyril <c...@excellency.fr> added the comment:
I had a look at how M2Crypto and pyOpenSSL handled this:
- M2Crypto has wrappers around SSL_set_mode that let you set the modes you
want. From their changelog [1], it was required to be able to operate with
Twisted. By default, though, they only set SSL_MODE_AUTO_RETRY.
- pyOpenSSL enables everything by default, and there's no set_mode wrapper.
Here is the relevant code:
/* Some initialization that's required to operate smoothly in Python */
SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
I don't see any other possible alternative. I'm not sure which one is better.
Implementing a set_mode wrapper with no mode set by default has no
compatibility issues, although we'd still have that 'bad write retry' OpenSSL
error.
On the other hand, setting SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default is
easy but we lose some security (and, possibly, some compatibility problems,
although I doubt anyone relies on the 'bad write retry' error).
What do you think? I'd be ready to write the patch for the set_mode wrapper if
you want.
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue8240>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
