Issue #774 resolved

Migrate from pyOpenSSL to the ssl module

Anonymous avatarAnonymous created an issue

The pyOpenSSL has not been updated since 2004 and may be the cause of the bug in #589. Migrate to the new ssl module that will be built-in in Python 2.- and available via PyPi.

Reported by lawouach

Comments (7)

  1. Robert Brewer

    Besides the newness of the ssl module and the labor of actually getting it to work in CP, I'm just waiting for Windows binaries before making the switch. Assuming those three things happen, I'm all for moving to the ssl module.

  2. Anonymous

    I think that we should use the standard library SSL module rather than pyOpenSSL, unless there is a very specific reason *not* to. Depending on a third-party library is a bad idea, especially when a standard library will work, for two reasons: 1) reducing dependencies; 2) not depending on libraries with questionable futures (i.e., we don't know when they're going to be updated). Do I smell a branch?

  3. Robert Brewer

    Integrated the patch in [2459]. There are a few things left to do, however:

    1. Backport it to trunk. This ''may'' involve supporting both the builtin ssl module and pyOpenSSL for some time in trunk. The `ssl` module has been backported to Python 2.3.5 and is available at Needs tested in Py 2.3, 4, and 5 before we drop pyOpenSSL. 2. Decide what to do about the lost 'http over https' error message and broken test. 3. Restore the lost ssl_certificate_chain functionality. 4. Test and/or restore some of the lost ssl_context functionality; for example, certs which are streams instead of file objects, or need decryption. 5. Restore the lost SSL_* environ entries. 6. Remove the 'print' in tick() once we've debugged enough.

  4. Robert Brewer

    Okay; ssl libs are now pluggable in 3.2 via a new 'server.ssl_module' attribute. This defaults to 'pyopenssl' in trunk and 'builtin' in python3. Implemented in [2471] (trunk) and [2473] (python3) and a couple changesets immediately thereafter.

    Fixed the broken 'http over https' error message in [2474].

    It would still be good to pursue the ssl_certificate_chain functionality, plus some of the ssl_context functionality (for example, certs which are streams instead of file objects, or need decryption) which pyopenssl provided, in the builtin ssl module. We still are also missing some SSL_* environ entries when using the builtin ssl.

  5. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.