Message10365

Author	zyasoft
Recipients	darjus, zyasoft
Date	2015-10-20.20:40:45
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1445373646.85.0.195655177698.issue2390@psf.upfronthosting.co.za>
In-reply-to

Content
Darjus, that was a good idea to run it on CPython 2/3. Strange it fails in this fashion for CPython, but it's looking good so far. Some further thoughts on looking at the code: re SSLContext.cert_store_stats, we should be able to obtain via BC; see http://www.bouncycastle.org/wiki/display/JA1/X.509+Certificate+Revocation+Lists re SSLContext.set_default_verify_paths, I'm pretty sure we can get this functionality via CompositeX509TrustManager as defined in _sslcerts. Maybe this can also resolve the issue we see with /usr/local/etc/openssl/cert.pem for brew users? TBD. re SSLContext.set_alpn_protocols, etc, raising NotImplemented is fine for now. (It's possible we can use Netty to support.) Note that per the docs on SSLContext.set_*, we need to set values for the following: >>> ssl.HAS_ALPN False >>> ssl.HAS_NPN False >>> ssl.HAS_ECDH True >>> ssl.HAS_SNI True Maybe we can provide support for ALPN/NPN by digging into Netty and what we can do to support SSL negotiation, but just based on what OS X 10.11 returns for their support, I think we are safe in deferring to 2.7.2 or later.

Darjus, that was a good idea to run it on CPython 2/3. Strange it fails in this fashion for CPython, but it's looking good so far. Some further thoughts on looking at the code:

re SSLContext.cert_store_stats, we should be able to obtain via BC; see 
http://www.bouncycastle.org/wiki/display/JA1/X.509+Certificate+Revocation+Lists

re SSLContext.set_default_verify_paths, I'm pretty sure we can get this functionality via CompositeX509TrustManager as defined in _sslcerts. Maybe this can also resolve the issue we see with /usr/local/etc/openssl/cert.pem for brew users? TBD.

re SSLContext.set_alpn_protocols, etc, raising NotImplemented is fine for now. (It's possible we can use Netty to support.) Note that per the docs on SSLContext.set_*, we need to set values for the following:

>>> ssl.HAS_ALPN
False
>>> ssl.HAS_NPN
False
>>> ssl.HAS_ECDH
True
>>> ssl.HAS_SNI
True

Maybe we can provide support for ALPN/NPN by digging into Netty and what we can do to support SSL negotiation, but just based
 on what OS X 10.11 returns for their support, I think we are safe in deferring to 2.7.2 or later.

History
Date	User	Action	Args
2015-10-20 20:40:46	zyasoft	set	messageid: <1445373646.85.0.195655177698.issue2390@psf.upfronthosting.co.za>
2015-10-20 20:40:46	zyasoft	set	recipients: + zyasoft, darjus
2015-10-20 20:40:46	zyasoft	link	issue2390 messages
2015-10-20 20:40:45	zyasoft	create