New submission from Christian Heimes: In ticket #28022 and in thread https://mail.python.org/pipermail/python-dev/2016-September/146366.html I discussed two new protocols for SSLContext: PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER. A SSLContext with PROTOCOL_TLS_CLIENT can only create connections to a server but cannot wrap server sockets. We can use it to have better defaults (e.g. cert validation and hostname verification for client side) and to make it impossible to confuse a server context with a client context. In the long run I'm planning to deprecate all but PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER.
--- Finally (and this is the biggest) I like to change how the protocols work. OpenSSL 1.1.0 has deprecated all version specific protocols. Soon OpenSSL will only support auto-negotiation (formerly known as PROTOCOL_SSLv23). My patch #26470 added PROTOCOL_TLS as alias for PROTOCOL_SSLv23. If the last idea is accepted I will remove PROTOCOL_TLS again. It hasn't been released yet. Instead I'm going to add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER (see https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_new.html TLS_server_method(), TLS_client_method()). PROTOCOL_TLS_CLIENT is like PROTOCOL_SSLv23 but only supports client-side sockets and PROTOCOL_TLS_SERVER just server-side sockets. In my experience we can't have a SSLContext with sensible and secure settings for client and server at the same time. Hostname checking and cert validation is only sensible for client-side sockets. --- ---------- assignee: christian.heimes components: Extension Modules messages: 275862 nosy: christian.heimes priority: normal severity: normal stage: patch review status: open title: SSL: Add client and server protocols for SSLContext type: enhancement versions: Python 3.6, Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue28085> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
