On 2017-01-11 20:01, Cory Benfield wrote: > Socket > ~~~~~~ > > The socket-wrapper ABC will be defined by the ``TLSWrappedSocket`` ABC, which > has the following definition:: > > class TLSWrappedSocket(metaclass=ABCMeta): > # The various socket methods all must be implemented. Their > definitions > # have been elided from this class defintion in the PEP because they > # aren't instructive.
I sent my first mail too early and forgot three things. Python's ssl module has additional weird modes. It's possible to create an unconnected SSLSocket and later connect it. Pseudo code: s1 = socket.socket() s2 = context.wrap_socket(s1) s2.connect((host, port)) AFAIK PyOpenSSL doesn't support this mode. How do we deal with unconnected sockets, UDP/DTLS and other transports? Are sockets limited to AF_INET / AF_INET6 and SOCK_STREAM? In the not-so-distant future SRV-ID validation will become relevant. In order to support dNSName, IPAddress, and SRV-ID validation, the TLS socket needs the hostname (if available), IP address, port and service type (e.g. http, ldap, xmpp-server, ...). For hostname validation we should also define how we are going to deal with encodings. Is the hostname always a IDN U-label, A-label or can it be both? Christian _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
