Geert Jansen added the comment:
Glyph, if this is just for Twisted you could ship the "sslcompat" module that
I'm shipping with Gruvi. It backports the async IO stuff and a few other pieces
through an extension module.
https://github.com/geertj/gruvi/blob/master/src/sslcompat.c
Geert Jansen added the comment:
Apologies for the late reply.
I made SSLSocket go through SSLObject so that the test suite that is primarily
testing SSLSocket will test both.
Also, this layering allows us to define some non-networked operations (such as
SSL certificate checking and channel
Geert Jansen added the comment:
Hi Victor,
see below my comments:
* SSLSocket.read(), SSLOBject.read() and _ssl._SSLSocket.read() taking a buffer
as the second positional argument.
Both SSLSocket.read() and _SSLSocket.read() already accepted two arguments so I
went for consistency
Geert Jansen added the comment:
+.. attribute:: SSLSocket.server_hostname
+
+ A ``bytes`` instance (...)
Ah, this is a mistake. It's actually always a str instance (on SSLObject as
well).
It is indeed, I stand corrected. I was confused by the decode - encode
roundtrip that happens
Geert Jansen added the comment:
newPySSLSocket() expects a char* string and use PyUnicode_Decode() to decode
bytes.
Yup, and this value is available as SSLSocket._sslobj.server_hostname. But
SSLSocket.server_hostname is not this, it is what was passed to the constructor
which can
Geert Jansen added the comment:
Maybe an example is useful on how the Memory BIO stuff can be used to implement
SSL on top of a proactor event loop. I just added support for this to my Gruvi
project in the branch feat-memory-bio:
An SslPipe utility class that uses the memory BIOs:
https
Changes by Geert Jansen gee...@gmail.com:
--
nosy: +geertj
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22559
___
___
Python-bugs-list mailing
Geert Jansen added the comment:
Thanks Antoine for merge!
SSLPipe looks interesting. I wonder if it can be used to reimplement
_SelectorSslTransport in asyncio.selector_events (at least as an experiment).
Yes, it could be done quite easily. SslPipe has no dependency on other parts of
Gruvi
Geert Jansen added the comment:
It seems that SSLSocket.close() doesn't actually close the socket, and that's
why the server side read() blocks.
It's a bit of a mystery to me how socket.close(), which is called by SSLSocket
to do the actual close, is supposed to work. I don't see any calls
Geert Jansen added the comment:
Right, socket._socketobject mearly nulls out the reference to _socket.socket,
and lets reference counting take care of the rest.
Ugh this is bad... I thought close() was exactly there when you don't want to
depend on refcounting for cleanup.
* When
Geert Jansen added the comment:
In Python2 socket._socketobject composes with _socket.socket, so we pass
self._sock, that way it has teh right C-level fields. Unfortunately taking
a weakref of _socket.socket is not allowed.
I see, and agree that making it weakref-able would be a bad idea
Geert Jansen added the comment:
One issue with the owner is that there is now a reference cycle between
SSLSocket and SSLObject (something which the original design is careful to
avoid by using weakrefs in the _ssl module).
Note that owner is a weakref :) Did you look at the code
Geert Jansen added the comment:
Addded the comment about owner being a weakref, and added a new consolidated
patch (ssl-memory-bio-5).
--
Added file: http://bugs.python.org/file36806/ssl-memory-bio-5.patch
___
Python tracker rep...@bugs.python.org
Geert Jansen added the comment:
New patch attached. This patch makes SSLSocket use SSLObject. The big benefit
here is obviously test coverage.
I decided against using SSLObject as a mixin, because all methods need to be
reimplemented anyway because for SSLSocket they need to handle the non
Geert Jansen added the comment:
Well... I would have expected this approach to yield a bigger reduction in
code size. If it doesn't shrink the code, then I'm not sure it's worthwhile.
What do you think?
I think the improved test coverage might still make it worthwhile. All tests
are now
Geert Jansen added the comment:
Antoine, sorry for the delay, we just had a new kid and I changed jobs :)
Let me try if I can create an updated patch that where SSLObject is a mixin for
SSLSocket. I think the argument about writing tests once is important. Be back
in a few days
Geert Jansen added the comment:
Thanks Antoine. See my comments below:
- is it necessary to start exposing server_hostname, server_side and
pending()?
At the C level I need server_hostname and server_side exposed because they are
needed to implement the cert check in do_handshake
Geert Jansen added the comment:
Adding small patch (incremental to patch #4) to fix a test failure.
--
Added file: http://bugs.python.org/file36483/ssl-memory-bio-4-incr1.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org
Geert Jansen added the comment:
Updated patch. Contains:
* An owner attribute on a _ssl.SSLSocket that is used as the first argument
to the SNI servername callback (implemented as a weakref).
* Documentation
I think this covers all outstanding issues that were identified. Antoine,
please
Geert Jansen added the comment:
Antoine, yes, I just got back from holiday. I will have an updated patch
tomorrow.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21965
Geert Jansen added the comment:
Thanks to Ben and Glyph for their feedback. The memory BIO should allow
ProactorEventLoop to support SSL. I say should because I have not looked at
it myself. However, my Gruvi project is proactor (libuv) based and I have a
private branch where SSL support
Geert Jansen added the comment:
New patch with a Python-level API (option #3).
This needs some more tests, and docs.
--
Added file: http://bugs.python.org/file36248/ssl-memory-bio-3.patch
___
Python tracker rep...@bugs.python.org
http
Geert Jansen added the comment:
A question though: does it support server-side SNI? AFAIR server-side SNI
requires you to be able to change a SSL object's context.
Yes, it does. See the following comment in _servername_callback():
/* Pass a PySSLSocket instance when using memory BIOs
Changes by Geert Jansen gee...@gmail.com:
Added file: http://bugs.python.org/file36189/ssl-memory-bio-2.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21965
Geert Jansen added the comment:
I added a new patch that addresses the comments.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21965
Geert Jansen added the comment:
I've explored a few options for the Python-level API in the attachment
bio_python_options.py.
Me personally I prefer the more light weight option #3. This is both out of
selfish interest (less work for me), but also I believe that memory BIOs are an
API
Changes by Geert Jansen gee...@gmail.com:
Removed file: http://bugs.python.org/file36190/bio_python_options.py
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21965
Changes by Geert Jansen gee...@gmail.com:
Added file: http://bugs.python.org/file36191/bio_python_options.py
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21965
Geert Jansen added the comment:
Hi all (pitrou, haypo and all others) can I get some feedback on this patch?
Thanks!
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21965
New submission from Geert Jansen:
The attached patch adds a _MemoryBIO type to _ssl, and a _wrap_bio() method to
_SSLContext. The patch also includes tests.
For now I kept _wrap_bio() and _MemoryBIO semi-private. The reason is that it
returns an _SSLSocket instead of an SSLSocket
Geert Jansen added the comment:
*bump*.
This is a critical bugfix that prevents I bet 90%+ of Python users on Windows
compiling C extensions. It has been open for 2 years and it's a great
disservice to people having to compile stuff on Windows.
Oscar has been doing a terrific job
Geert Jansen added the comment:
*bump*
I just installed MinGW 2.6.2 32-bit on Windows XP. It doesn't accept -mnocygwin
and there is no binary i686-pc-mingw32-gcc either.
It would be great if you could agree on an approach and get this fixed. This
impacts a lot of users that want to build
32 matches
Mail list logo