On 2016-09-10 17:24, Nick Coghlan wrote: > On 11 September 2016 at 00:22, Christian Heimes <christ...@python.org> wrote: >> First I like to deprecated some old APIs and favor of SSLCotext. We have >> multiple ways to create a SSL socket or to configure libraries like >> urllib. The general idea is to make SSLContext the central object for >> TLS/SSL configuration. My patch deprecates ssl.wrap_socket() > > I'll bring over my question from the tracker issue to here: there's a > subset of ssl.wrap_socket() arguments which actually make sense as > arguments to ssl.get_default_context().wrap_socket(). > > Accordingly, we can pick a subset of code (e.g. SSL/TLS clients) that > we bless with not needing to change, leaving only code using > deprecated parameters or creating server sockets that needs to be > updated.
Do you consider ssl.wrap_socket() relevant for so many projects? The function hurts performance and is no longer best practice. The deprecation of ssl.wrap_socket() is a friendly nudge. I don't mind to keep it around for another four or six years. There is one other use case not covered by SSLContext.wrap_socket() but by SSLSocket.__init__(). The SSLSocket constructor takes a fileno argument. But it's an undocumented feature and it's broken since at least 3.3. https://bugs.python.org/issue27629 > As with past network security changes, a major factor we need to > account for is that no matter how valuable a particular goal is from a > broader industry perspective, people don't tend to react to API breaks > by fixing their code - they react by not upgrading at all. I totally agree and have been verify careful to keep backwards compatibility. My third patch breaks just one scenario: ssl.create_default_context(purpose=Purpose.SERVER_AUTH) no longer supports server-side connections and CLIENT_AUTH no longer client-side connections. It's the good kind of incompatibility because it reveals API misuse. Application should never have used SERVER_AUTH context to create server sockets. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com