[issue19689] ssl.create_default_context()

Changes by Antoine Pitrou : -- status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://m

[issue19689] ssl.create_default_context()

Roundup Robot added the comment: New changeset 8b4b6609cd31 by R David Murray in branch 'default': whatsnew: ssl.create_default_context (#19689). http://hg.python.org/cpython/rev/8b4b6609cd31 -- status: pending -> open ___ Python tracker

[issue19689] ssl.create_default_context()

Changes by Christian Heimes : -- assignee: -> christian.heimes resolution: -> fixed stage: patch review -> committed/rejected status: open -> pending ___ Python tracker ___ ___

[issue19689] ssl.create_default_context()

Roundup Robot added the comment: New changeset 63df21e74c65 by Christian Heimes in branch 'default': Issue #19689: Add ssl.create_default_context() factory function. It creates http://hg.python.org/cpython/rev/63df21e74c65 -- nosy: +python-dev ___ Pyt

[issue19689] ssl.create_default_context()

Christian Heimes added the comment: The patch implements HIGH:!aNULL:!RC4:!DSS HIGH already covers !MD5:!EXPORT:!NULL:!SSLv2 and more -- Added file: http://bugs.python.org/file32799/ssl_create_default_context3.patch ___ Python tracker

[issue19689] ssl.create_default_context()

Antoine Pitrou added the comment: > how about we use more strict and modern settings for the public API? > TLSv1, no insecure stuff like RC4, MD5, DSS etc. > https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ Fine, but I'd like to see something more open-ended for the ciphers stri

[issue19689] ssl.create_default_context()

Christian Heimes added the comment: Antoine and I have agreed upon a slightly different API. I'm going to split it up into one public API that creates a best practice context and one internal stdlib API to unify all places that deals with SSL sockets. AP: how about we use more strict and moder

[issue19689] ssl.create_default_context()

Changes by Giampaolo Rodola' : -- nosy: -giampaolo.rodola ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http

[issue19689] ssl.create_default_context()

Antoine Pitrou added the comment: Ok, so I still have a couple of issues with the proposed API: - if its purpose is to create a *default* context, create_default_context() shouldn't have that many arguments. The nice thing with contexts is that you can change their parameters later... So basic

[issue19689] ssl.create_default_context()

Christian Heimes added the comment: More links: https://www.imperialviolet.org/2012/01/30/mozillaroots.html https://github.com/bagder/curl/commit/51f0b798fa https://github.com/kennethreitz/requests/issues/1659 -- ___ Python tracker

[issue19689] ssl.create_default_context()

Christian Heimes added the comment: New patch with enum and more cleanups. I'd like to explain the rationals for the purpose argument in create_default_context and the ASN1Object thing. There are multiple things involved here. First of all a certificate may have key usage and extended key usa

[issue19689] ssl.create_default_context()

Antoine Pitrou added the comment: Ok. Note that as long as they aren't actually passed to OpenSSL, they don't need to be ASN1 objects at all, i.e. if it's only a parameter to create_default_context(), it can perfectly well be a str or enum. -- ___ P

[issue19689] ssl.create_default_context()

Christian Heimes added the comment: The objects already have a (more or less) nice representation: >>> ssl._ASN1Object.fromname("1.3.6.1.5.5.7.3.1") _ASN1Object(nid=129, shortname='serverAuth', longname='TLS Web Server Authentication', oid='1.3.6.1.5.5.7.3.1') >>> ssl._ASN1Object.fromname("1.3.

[issue19689] ssl.create_default_context()

Antoine Pitrou added the comment: > In my opinion enums are for a closed batch of known entities. There > are at least 20-30 purpose flags, maybe more. Everybody is allowed to > define their own OIDs, too. Well, how many purposes are we going to expose? I don't think users should know what ASN1

[issue19689] ssl.create_default_context()

Christian Heimes added the comment: In my opinion enums are for a closed batch of known entities. There are at least 20-30 purpose flags, maybe more. Everybody is allowed to define their own OIDs, too. -- ___ Python tracker

[issue19689] ssl.create_default_context()

Antoine Pitrou added the comment: > SERVER_AUTH = _ASN1Object('1.3.6.1.5.5.7.3.1') > CLIENT_AUTH = _ASN1Object('1.3.6.1.5.5.7.3.2') That's a bit ugly. How about an enum? -- ___ Python tracker _

[issue19689] ssl.create_default_context()

Christian Heimes added the comment: Good point! We need a purpose flag anyway in order to load the appropriate root CA certs. The purpose flag can be used for purpose-specific verify mode: SERVER_AUTH = _ASN1Object('1.3.6.1.5.5.7.3.1') CLIENT_AUTH = _ASN1Object('1.3.6.1.5.5.7.3.2') if isi

[issue19689] ssl.create_default_context()

Antoine Pitrou added the comment: > A few weeks ago I suggested the addition of > ssl.create_default_context() to the stdlib. The patch implements my > proposal. It replaces code in several of modules with one central > function. The patch also removes ssl.wrap_socket() in favor for a > SSLContex

[issue19689] ssl.create_default_context()

New submission from Christian Heimes: A few weeks ago I suggested the addition of ssl.create_default_context() to the stdlib. The patch implements my proposal. It replaces code in several of modules with one central function. The patch also removes ssl.wrap_socket() in favor for a SSLContext o