[openssl-dev] [openssl.org #3627] Enhancement request: add more "Protocol" options for SSL_CONF_CTX
Steffen Nurpmeso via RT
rt at openssl.org
Thu Dec 11 18:37:58 UTC 2014
"Salz, Rich via RT" <rt at openssl.org> wrote:
|> So you want a separate "openssl-conf" package. Fine, then provide it and
|> give an easy mechanism for applications to hook into it.
|> And for users to be able to overwrite system defaults.
|> But this has not that much to do with #3627.
|
|Yes it does. :) A newer simpler API that does what you want \
|seems exactly the way forward. Go for it.
You sound pretty good and done here.. Gratulations. [Laughter]
Regarding the interface: back in 2011 i have started (only) writing
a Python (grr) script, which had a really simple way of doing
_any_ socket connection via
class SaSo: # {{{ Sa[fe]So[cket] SSL and socket creation encapsulator
The basic concept was that all you can do is
def create_connection(serv, cafile=None, all_fingerprints=False):
where serv is a class Service,
class Service(Config.Section):
that directly maps to a configuration type (shortened by doc)
[service]
uid = UID
url = NAME
proto = proto
port = NUMBER
upgrade-secure = BOOLEAN
fetch-folders = mailbox, another-mailbox, ...
options = protocol-dependend (comma separated list of options)
So wether TLS or not you simply
(err, conn) = SaSo.create_connection(serv)
if err:
return (intro + 'connect failure: ' + err, ESTAT_CONNECTION)
print('@ ', intro, conn.pretty_addr, sep='', file=STDOUT)
_maximally_ extended by (for non-initially secured transport)
# Shall we try to upgrade to TLS (RFC 2595)?
if self.service.upgrade_secure:
resp = self._single('STLS')
if not resp:
self.error_append('\nServer does not seem to support secure ' +
'transport.\nYou need to disable the *upgrade-secure* ' +
'configuration setting.')
return
resp = SaSo.wrap_connection(self.conn)
if resp is not None:
self.error = 'failed to perform *upgrade-secure*: ' + resp
return
Cool, eh? S-postman.py was that thing.
_That_ is in essence what i mean -- just think about the current
Python urllib is it CVE-2014-9365: not even programmers that know
do it the right way, how can you expect administrators and normal
users to do so, even _if_ the software allows the necessary
configuration. Nono.
|I've said that adding new magic keywords is not something \
|we're going to do, and I've tried to explain the reasoning. \
| I am sorry that you don't like it.
Despite that i continue to disagree _completely_.
The other way around would be the right way to go for
configuration, and if that doesn't work then the _library_ had to
be adjusted. E.g. by splitting off a small config update package
that updates cipher lists and whatever (i am really not an expert.
Nor do i plan to become one) without the need to recompile
OpenSSL. Cool. But you are not there yet, are you? :-)
So please please, give us "MIN" and "MAX".
Ciao,
More information about the openssl-dev
mailing list