Ticket #774 (task)
Opened 2 years ago
Last modified 8 months ago
Migrate from pyOpenSSL to the ssl module
Status: closed (fixed)
| Reported by: | lawouach | Assigned to: | fumanchu |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.2 |
| Component: | wsgiserver | Keywords: | ssl |
| Cc: |
Attachments
Change History
02/25/08 11:36:02: Modified by fumanchu
04/10/08 16:20:03: Modified by guest
It's being updated again.
07/05/08 23:28:33: Modified by nick@nick125.com
I think that we should use the standard library SSL module rather than pyOpenSSL, unless there is a very specific reason *not* to. Depending on a third-party library is a bad idea, especially when a standard library will work, for two reasons: 1) reducing dependencies; 2) not depending on libraries with questionable futures (i.e., we don't know when they're going to be updated). Do I smell a branch?
06/15/09 16:58:06: Modified by tooker@gmail.com
- attachment cp-ssl-py3kb.patch added.
patch to use py3k ssl module instead of pyOpenSSL
06/16/09 11:33:53: Modified by fumanchu
- owner changed from lawouach to fumanchu.
- status changed from new to assigned.
Integrated the patch in [2459]. There are a few things left to do, however:
- Backport it to trunk. This may involve supporting both the builtin ssl module and pyOpenSSL for some time in trunk. The ssl module has been backported to Python 2.3.5 and is available at http://pypi.python.org/pypi/ssl. Needs tested in Py 2.3, 4, and 5 before we drop pyOpenSSL.
- Decide what to do about the lost 'http over https' error message and broken test.
- Restore the lost ssl_certificate_chain functionality.
- Test and/or restore some of the lost ssl_context functionality; for example, certs which are streams instead of file objects, or need decryption.
- Restore the lost SSL_* environ entries.
- Remove the 'print' in tick() once we've debugged enough.
08/02/09 14:40:46: Modified by fumanchu
- status changed from assigned to closed.
- resolution set to fixed.
Okay; ssl libs are now pluggable in 3.2 via a new 'server.ssl_module' attribute. This defaults to 'pyopenssl' in trunk and 'builtin' in python3. Implemented in [2471] (trunk) and [2473] (python3) and a couple changesets immediately thereafter.
Fixed the broken 'http over https' error message in [2474].
It would still be good to pursue the ssl_certificate_chain functionality, plus some of the ssl_context functionality (for example, certs which are streams instead of file objects, or need decryption) which pyopenssl provided, in the builtin ssl module. We still are also missing some SSL_* environ entries when using the builtin ssl.
Besides the newness of the ssl module and the labor of actually getting it to work in CP, I'm just waiting for Windows binaries before making the switch. Assuming those three things happen, I'm all for moving to the ssl module.