On 25 May 2017 at 21:24, Antoine Pitrou <solip...@pitrou.net> wrote: > The new TLS API wouldn't significantly improve security. It's just a > different API.
It isn't just a different API. It's an API with *backends for the native TLS implementations on WIndows and Mac OS X*. This means that instead of attempting to extract system certs and inject them into a bundled copy of OpenSSL, it becomes viable to just use the operating system provided security services and behave the same was as any other native application (at least as far as secure network connections are concerned). Ideally, it would be good to get to a point where we can stop bundling OpenSSL entirely on Windows and Mac OS X, such that OpenSSL CVEs stop automatically turning into CPython CVEs, and we can instead delegate the task of prompt network security stack updates to the OS provider, the same way we do for non-Apple *nix systems. Even if it isn't feasible to get Python 2.7 to that happy state by 2020, we may at least be able to get to a point where most routine TLS connections from Python 2.7 applications are using an OS provided TLS implementation, so their network security is less dependent on receiving updates to the Python level components of their stack. >> I also understood that getting access to system CA allows admins to >> register their company CA and so avoid that users ignore the TLS warning >> (unknown CA). > > System admins can add the company CA at the system level in the > system's CA cert store, they have no need for a Python API. Actually, > they certainly don't want to modify every Python application to add a > company CA. The state of affairs that you're citing as undesirable is pretty much the way things *currently* work. Most Python applications still won't see system level certificates on Windows and Mac OS X, and they often won't see them even on Linux and *BSD systems (unless they're running directly in the system Python and using the system-provided requests module (which gets patched to use the system certs rather than the default Mozilla bundle). Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
