Skip to content

[WIP] PEP 543: Update for TLS PEP #527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tiran wants to merge 1 commit into from
Closed

[WIP] PEP 543: Update for TLS PEP #527

tiran wants to merge 1 commit into from

Conversation

@tiran
Copy link
Member

@tiran tiran commented Dec 29, 2017
edited
Loading

Auto-detection of PEM / DER is rather complicated and may not always
work reliable. All PEM parsers (that I know) ignore extra data before
and after the BEGIN/END block. Some data may look like DER at the
beginning and then turn out to be PEM later. Instead of guessing the
format, how about a format argument with PEM as default? Most people
will use PEM anyway.

Related to that, OpenSSL has a file format "TRUSTED CERTIFICATE", which
is a standard PEM + additional AUX data at the end of the certificate
blob. With a format argument, we can easily support additional formats
for load and dump.

The certificate class can only load the first certificate from a PEM
bundle. Except for trivial test cases, a chain and CA bundle are made up
from multiple certs. IMO dedicated load methods for chain and batch of
certs would be useful for multiple reasons. It's easier and more
efficient to use existing load functions extract all certs from a PEM
bundle. A chain bundle can contain private key, too. With a dedicated
function we can avoid to load the private key into Python memory. And
OpenSSL makes it a bit more awkward because it loads the EE cert
differently than the rest of the chain,
https://github.com/openssl/openssl/blob/master/ssl/ssl_rsa.c#L619

Signed-off-by: Christian Heimes christian@python.org

TODO

  • Document that PEM parser should ignore all non-supported blocks as well as extra noise
  • Add support for RSA/RCC dual mode configuration
  • Add TLS configuration for ECDH curves?
  • Add APIs for uni-directional and quiet shutdown? OpenSSL > 1.1.0 needs at least a quiet shutdown for session handling. Quiet shutdown does not send any messages. Unidirectional shutdown just sends CLOSE NOTIFY and doesn't wait for confirmation.
  • Fix grammar and spelling
@tiran
Update for TLS PEP
bf89ba8 
Auto-detection of PEM / DER is rather complicated and may not always work reliable. All PEM parsers (that I know) ignore extra data before and after the BEGIN/END block. Some data may look like DER at the beginning and then turn out to be PEM later. Instead of guessing the format, how about a format argument with PEM as default? Most people will use PEM anyway. Related to that, OpenSSL has a file format "TRUSTED CERTIFICATE", which is a standard PEM + additional AUX data at the end of the certificate blob. With a format argument, we can easily support additional formats for load and dump. The certificate class can only load the first certificate from a PEM bundle. Except for trivial test cases, a chain and CA bundle are made up from multiple certs. IMO dedicated load methods for chain and batch of certs would be useful for multiple reasons. It's easier and more efficient to use existing load functions extract all certs from a PEM bundle. A chain bundle can contain private key, too. With a dedicated function we can avoid to load the private key into Python memory. And OpenSSL makes it a bit more awkward because it loads the EE cert differently than the rest of the chain, https://github.com/openssl/openssl/blob/master/ssl/ssl_rsa.c#L619 Signed-off-by: Christian Heimes <christian@python.org>
@tiran
Copy link
Member Author

tiran commented Dec 29, 2017

PoC implementation of new APIs for CPython at python/cpython@master...tiran:ssl_x509
@tiran tiran mentioned this pull request Jan 12, 2018
Draft
5 tasks
@gvanrossum
Copy link
Member

gvanrossum commented Jul 7, 2018

@tiran Is this waiting for something? Since you're one of the PEP authors I'm tempted to just merge it, except there's a list of TODO items. You should be able to merge it yourself too.
@gvanrossum gvanrossum changed the title [WIP] Update for TLS PEP [WIP] PEP 543: Update for TLS PEP Jul 7, 2018
@brettcannon
Copy link
Member

brettcannon commented Nov 6, 2019

@tiran I'm closing this as it has been sitting open for over a year. If you're ready to merge it then please do so.
@brettcannon brettcannon closed this Nov 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA signed enhancement

4 participants

@tiran @gvanrossum @brettcannon @the-knights-who-say-ni