Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename ssl.Purpose.{CLIENT,SERVER}_AUTH #73996

Open
alex opened this issue Mar 14, 2017 · 5 comments
Open

Rename ssl.Purpose.{CLIENT,SERVER}_AUTH #73996

alex opened this issue Mar 14, 2017 · 5 comments
Labels
stdlib Python modules in the Lib dir

Comments

@alex
Copy link
Member

alex commented Mar 14, 2017

BPO 29810
Nosy @tiran, @alex, @dstufft

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2017-03-14.16:17:49.536>
labels = []
title = 'Rename ssl.Purpose.{CLIENT,SERVER}_AUTH'
updated_at = <Date 2017-03-14.16:48:50.514>
user = 'https://github.com/alex'

bugs.python.org fields:

activity = <Date 2017-03-14.16:48:50.514>
actor = 'alex'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = []
creation = <Date 2017-03-14.16:17:49.536>
creator = 'alex'
dependencies = []
files = []
hgrepos = []
issue_num = 29810
keywords = []
message_count = 5.0
messages = ['289601', '289604', '289605', '289606', '289607']
nosy_count = 4.0
nosy_names = ['janssen', 'christian.heimes', 'alex', 'dstufft']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = None
url = 'https://bugs.python.org/issue29810'
versions = []
@alex
Copy link
Member Author

alex commented Mar 14, 2017

The names are super misleading. First, they're written in a way that's the opposite of how people think about these things (CLIENT_AUTH -> server socket; SERVER_AUTH -> client socket). Second, they're misleading, you can have TLS which is *mutually* authenticated. Third, CLIENT_AUTH is very frequently used for a server socket where the client isn't authenticated (at the TLS layer) at all!

A simple fix would be to add: Purpose.{CLIENT,SERVER}_SOCKET and alias the old names to those values.

@tiran
Copy link
Member

tiran commented Mar 14, 2017

For 3.7 I'm planning to move to protocols instead of purpose oids (PROTOCOL_TLS_CLIENT, PROTOCOL_TLS_SERVER).

@alex
Copy link
Member Author

alex commented Mar 14, 2017

Ah, so instead of PROTOCOL_SSLv23 using PROTOCOL_TLS_CLIENT and deprecating the Purpose bits entirely? That sounds good to me!

@tiran
Copy link
Member

tiran commented Mar 14, 2017

Yes, I'm planning a PEP to make the SSL module a bit more sane:

  1. deprecate all protocols except for PROTOCOL_TLS_CLIENT / PROTOCOL_TLS_SERVER
  2. deprecate purpose in favor of PROTOCOL_TLS_*
  3. PROTOCOL_TLS_CLIENT defaults to CERT_REQUIRED, match_hostname=True

@alex
Copy link
Member Author

alex commented Mar 14, 2017

Sounds good to me!

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
@pquentin pquentin mentioned this issue May 9, 2022
Closed
pquentin added a commit to elastic/rally that referenced this issue May 19, 2022
@pquentin
Fix use_ssl: True on Python 3.10 (#1493)
d98c4b6 
Rally is a client, so its purpose is to authenticate servers. This means
that we should use ssl.Purpose.SERVER_AUTH instead of CLIENT_AUTH, with
or without client certs. This is super confusing, see
python/cpython#73996. Anyway, in 3.10 making this mistake isn't possible
anymore due python/cpython#26646.
    
To make sure this does not break in the future, we also add tests for
the IP and client certs cases.
@pquentin pquentin mentioned this issue May 20, 2022
Merged
@iritkatriel iritkatriel added the stdlib Python modules in the Lib dir label Nov 27, 2023
@vadmium vadmium mentioned this issue Feb 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stdlib Python modules in the Lib dir
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alex @tiran @iritkatriel