[issue8550] Expose SSL contexts

2015-10-04 Thread Berker Peksag 

Changes by Berker Peksag :


Removed file: http://bugs.python.org/file40678/entry.tbp

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2015-10-04 Thread Lance Warrior 

Changes by Lance Warrior :


Added file: http://bugs.python.org/file40678/entry.tbp

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-16 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

A couple of buildbot failures led to fixes in r81234 and r81235. Everything 
should be fine now.

--
resolution: accepted -> fixed
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-16 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

I've committed the patch in r81233. I'm going to watch the buildbots and close 
the issue if everything's fine.

--
assignee:  -> pitrou
resolution:  -> accepted
stage: patch review -> committed/rejected

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-16 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

Here is a patch addressing Heikki's and Jean-Paul's review comments (including 
additional documentation and a test for capath).

--
Added file: http://bugs.python.org/file17368/sslcontext4.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-16 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

> Since SSLv2 is insecure, could you at least add a warning for that
> protocol? I think there was a separate issue for removing it
> altogether, but could a warning be added here?

I think it should be a separate issue (since it also applies to the
legacy API). I agree it's reasonable to issue a warning. I don't think
we should remove it until OpenSSL itself does, though.

> The documentation should mention that verify_mode=CERT_REQUIRED is 
> recommended for security.

I think we should recommend CERT_OPTIONAL. A server running with
CERT_REQUIRED would refuse clients without a client certificate, which
is probably not common practice for most servers.

(CERT_OPTIONAL is SSL_VERIFY_PEER, and
 CERT_REQUIRED is SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
The OpenSSL doc says there's no different between both when in client
mode)

> I think you need to expose SSL_CTX_set_options(). Currently the code
> just sets all options, which means that the default protocol SSLv23
> will accept SSLv2 which is insecure. Most people would want to
> probably do something like ctx.set_options(SSL_OP_ALL |
> SSL_OP_NO_SSLv2).

There is a separate issue for it (whose patch I will update to use the
new context API when it is committed):
http://bugs.python.org/issue4870
Do note that OpenSSL 1.0.0 disables SSLv2 by default when using SSLv23,
by the way.

> Otherwise I could not see issues with the code, apart from the still
> #if 0'd out sections and commented out sections, which you are
> planning on doing something about, right?

Yes, there's a bit of cleanup work remaining.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-15 Thread Heikki Toivonen 

Heikki Toivonen  added the comment:

Since SSLv2 is insecure, could you at least add a warning for that protocol? I 
think there was a separate issue for removing it altogether, but could a 
warning be added here?

The documentation should mention that verify_mode=CERT_REQUIRED is recommended 
for security.

There should probably be an example of using SSL context in the documentation.

I think you need to expose SSL_CTX_set_options(). Currently the code just sets 
all options, which means that the default protocol SSLv23 will accept SSLv2 
which is insecure. Most people would want to probably do something like 
ctx.set_options(SSL_OP_ALL | SSL_OP_NO_SSLv2). Documentation should also 
mention that this is recommended for security. See man SSL_CTX_set_options.

Otherwise I could not see issues with the code, apart from the still #if 0'd 
out sections and commented out sections, which you are planning on doing 
something about, right?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-10 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

I uploaded the latest patch at http://codereview.appspot.com/1124044

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-06 Thread STINNER Victor 

Changes by STINNER Victor :


--
nosy: +haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-05 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

New patch after reindent of _ssl.c

--
Added file: http://bugs.python.org/file17225/sslcontext3.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-01 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

New patch with docs.

--
Added file: http://bugs.python.org/file17178/sslcontext2.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-05-01 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

Here is a patch exposing SSL contexts as the "SSLContext" class. Also, SSL 
sockets are refactored to create a standalone SSLContext object, unless you 
create them using the new SSLContext.wrap_socket(). Please note that 
SSLContexts do not expose much more information than SSL sockets previously 
did. New SSLContext functionality (such as options) can be added later.

Docs are missing, but tests are there.

--
keywords: +patch
stage: needs patch -> patch review
Added file: http://bugs.python.org/file17173/sslcontext.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-04-28 Thread Antoine Pitrou 

Changes by Antoine Pitrou :


--
nosy: +heikki

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-04-27 Thread Eric Smith 

Changes by Eric Smith :


--
nosy: +eric.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-04-27 Thread Jean-Paul Calderone 

Jean-Paul Calderone  added the comment:

For reference:

http://pyopenssl.sourceforge.net/pyOpenSSL.html/openssl-context.html
http://www.heikkitoivonen.net/m2crypto/api/M2Crypto.SSL.Context%27.Context-class.html

and `man -k SSL_CTX_`

--
nosy: +exarkun

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8550] Expose SSL contexts

2010-04-27 Thread Antoine Pitrou 

New submission from Antoine Pitrou :

We should expose SSL contexts at the Python level, and rework SSL sockets to 
use those objects internally (rather than creating their own private context).
It would allow to:
- specify the various options iteratively, rather than having to dump them all 
in the wrap_socket() arguments
- add methods to query information about the current options, key/cert, etc.
- solve issue3823 (you can build the context first, passing it the key/cert 
info, then drop privileges before creating any sockets)
- more easily share and reuse configuration information
- possibly add more powerful functionality such as sessions

The way I see it, the existing wrap_socket() module-level function would be 
kept for compatibility; context objects would expose their own wrap_socket() 
method, without all the arguments of course.

--
components: Library (Lib)
messages: 104359
nosy: giampaolo.rodola, janssen, pitrou
priority: normal
severity: normal
stage: needs patch
status: open
title: Expose SSL contexts
type: feature request
versions: Python 3.2

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com