[Python-Dev] ssl

Sat Jun 5 15:11:09 CEST 2010

On 08:34 am, kristjan at ccpgames.com wrote:
>Hello there.
>I wanted to do some work on the ssl module, but I was a bit daunted at 
>the prerequisites. Is there anywhere that I can get at precompiled 
>libs for the openssl that we use?
>In general, gettin all those "external" projects seem to be complex to 
>build. Is there a fast way?

I take it the challenge is that you want to do development on Windows? 
If so, this might help:
 http://www.slproweb.com/products/Win32OpenSSL.html
It's what I use for any Windows pyOpenSSL development I need to do.
>>What I want to do, is to implement a separate BIO for OpenSSL, one that 
>calls back into python for writes and reads. This is so that I can use 
>my own sockets implementation for the actual IO, in particular, I want 
>to funnel the encrypted data through our IOCompletion-based stackless 
>sockets.

For what it's worth, Twisted's IOCP SSL support is implemented using 
pyOpenSSL's support of OpenSSL memory BIOs. This is a little different 
from your idea: memory BIOs are a built-in part of OpenSSL, and just 
give you a buffer from which you can pull whatever bytes OpenSSL wanted 
to write (or a buffer into which to put bytes for OpenSSL to read).
I suspect this would work well enough for your use case. Being able to 
implement an actual BIO in Python would be pretty cool, though.
>>If successful, I think this would be a useful addition to ssl.
>You would do something like:
>>class BIO():
> def write(): pass
> def read(): pass
>>from ssl.import
>bio = BIO()
>ssl_socket = ssl.wrap_bio(bio, ca_certs=...)

Hopefully this would integrate more nicely with the recent work Antoine 
has done with SSL contexts. The preferred API for creating an SSL 
connection is now more like this:
 import ssl
 ctx = ssl.SSLContext(...)
 conn = ctx.wrap_socket(...)
So perhaps you want to add a wrap_bio method to SSLContext. In fact, 
this would be the more general API, and could supercede wrap_socket: 
after all, socket support is just implemented with the socket BIOs. 
wrap_socket would become a simple wrapper around something like 
wrap_bio(SocketBIO(socket)).
>>I am new to OpenSSL, I haven't even looked at what a BIO looks like, 
>but I read this: http://marc.info/?l=openssl- 
>users&m=99909952822335&w=2
>which indicates that this ought to be possible. And before I start 
>experimenting, I need to get my OpenSSL external ready.
>>Any thoughts?

It should be possible. One thing that's pretty tricky is getting 
threading right, though. Python doesn't have to deal with this problem 
yet, as far as I know, because it never does something that causes 
OpenSSL to call back into Python code. Once you have a Python BIO 
implementation, this will clearly be necessary, and you'll have to solve 
this. It's certainly possible, but quite fiddly.
Jean-Paul