mirror of https://github.com/python/peps
304 lines
19 KiB
HTML
304 lines
19 KiB
HTML
|
||
<!DOCTYPE html>
|
||
<html lang="en">
|
||
<head>
|
||
<meta charset="utf-8">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||
<meta name="color-scheme" content="light dark">
|
||
<title>PEP 546 – Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7 | peps.python.org</title>
|
||
<link rel="shortcut icon" href="../_static/py.png">
|
||
<link rel="canonical" href="https://peps.python.org/pep-0546/">
|
||
<link rel="stylesheet" href="../_static/style.css" type="text/css">
|
||
<link rel="stylesheet" href="../_static/mq.css" type="text/css">
|
||
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" media="(prefers-color-scheme: light)" id="pyg-light">
|
||
<link rel="stylesheet" href="../_static/pygments_dark.css" type="text/css" media="(prefers-color-scheme: dark)" id="pyg-dark">
|
||
<link rel="alternate" type="application/rss+xml" title="Latest PEPs" href="https://peps.python.org/peps.rss">
|
||
<meta property="og:title" content='PEP 546 – Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7 | peps.python.org'>
|
||
<meta property="og:type" content="website">
|
||
<meta property="og:url" content="https://peps.python.org/pep-0546/">
|
||
<meta property="og:site_name" content="Python Enhancement Proposals (PEPs)">
|
||
<meta property="og:image" content="https://peps.python.org/_static/og-image.png">
|
||
<meta property="og:image:alt" content="Python PEPs">
|
||
<meta property="og:image:width" content="200">
|
||
<meta property="og:image:height" content="200">
|
||
<meta name="description" content="Python Enhancement Proposals (PEPs)">
|
||
<meta name="theme-color" content="#3776ab">
|
||
</head>
|
||
<body>
|
||
|
||
<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
|
||
<symbol id="svg-sun-half" viewBox="0 0 24 24" pointer-events="all">
|
||
<title>Following system colour scheme</title>
|
||
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
|
||
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
|
||
<circle cx="12" cy="12" r="9"></circle>
|
||
<path d="M12 3v18m0-12l4.65-4.65M12 14.3l7.37-7.37M12 19.6l8.85-8.85"></path>
|
||
</svg>
|
||
</symbol>
|
||
<symbol id="svg-moon" viewBox="0 0 24 24" pointer-events="all">
|
||
<title>Selected dark colour scheme</title>
|
||
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
|
||
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
|
||
<path stroke="none" d="M0 0h24v24H0z" fill="none"></path>
|
||
<path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z"></path>
|
||
</svg>
|
||
</symbol>
|
||
<symbol id="svg-sun" viewBox="0 0 24 24" pointer-events="all">
|
||
<title>Selected light colour scheme</title>
|
||
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
|
||
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
|
||
<circle cx="12" cy="12" r="5"></circle>
|
||
<line x1="12" y1="1" x2="12" y2="3"></line>
|
||
<line x1="12" y1="21" x2="12" y2="23"></line>
|
||
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
|
||
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
|
||
<line x1="1" y1="12" x2="3" y2="12"></line>
|
||
<line x1="21" y1="12" x2="23" y2="12"></line>
|
||
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
|
||
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
|
||
</svg>
|
||
</symbol>
|
||
</svg>
|
||
<script>
|
||
|
||
document.documentElement.dataset.colour_scheme = localStorage.getItem("colour_scheme") || "auto"
|
||
</script>
|
||
<section id="pep-page-section">
|
||
<header>
|
||
<h1>Python Enhancement Proposals</h1>
|
||
<ul class="breadcrumbs">
|
||
<li><a href="https://www.python.org/" title="The Python Programming Language">Python</a> » </li>
|
||
<li><a href="../pep-0000/">PEP Index</a> » </li>
|
||
<li>PEP 546</li>
|
||
</ul>
|
||
<button id="colour-scheme-cycler" onClick="setColourScheme(nextColourScheme())">
|
||
<svg aria-hidden="true" class="colour-scheme-icon-when-auto"><use href="#svg-sun-half"></use></svg>
|
||
<svg aria-hidden="true" class="colour-scheme-icon-when-dark"><use href="#svg-moon"></use></svg>
|
||
<svg aria-hidden="true" class="colour-scheme-icon-when-light"><use href="#svg-sun"></use></svg>
|
||
<span class="visually-hidden">Toggle light / dark / auto colour theme</span>
|
||
</button>
|
||
</header>
|
||
<article>
|
||
<section id="pep-content">
|
||
<h1 class="page-title">PEP 546 – Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7</h1>
|
||
<dl class="rfc2822 field-list simple">
|
||
<dt class="field-odd">Author<span class="colon">:</span></dt>
|
||
<dd class="field-odd">Victor Stinner <vstinner at python.org>,
|
||
Cory Benfield <cory at lukasa.co.uk></dd>
|
||
<dt class="field-even">BDFL-Delegate<span class="colon">:</span></dt>
|
||
<dd class="field-even">Benjamin Peterson <benjamin at python.org></dd>
|
||
<dt class="field-odd">Status<span class="colon">:</span></dt>
|
||
<dd class="field-odd"><abbr title="Formally declined and will not be accepted">Rejected</abbr></dd>
|
||
<dt class="field-even">Type<span class="colon">:</span></dt>
|
||
<dd class="field-even"><abbr title="Normative PEP with a new feature for Python, implementation change for CPython or interoperability standard for the ecosystem">Standards Track</abbr></dd>
|
||
<dt class="field-odd">Created<span class="colon">:</span></dt>
|
||
<dd class="field-odd">30-May-2017</dd>
|
||
<dt class="field-even">Python-Version<span class="colon">:</span></dt>
|
||
<dd class="field-even">2.7</dd>
|
||
<dt class="field-odd">Post-History<span class="colon">:</span></dt>
|
||
<dd class="field-odd">23-May-2017</dd>
|
||
<dt class="field-even">Resolution<span class="colon">:</span></dt>
|
||
<dd class="field-even"><a class="reference external" href="https://mail.python.org/pipermail/python-dev/2017-June/148301.html">Python-Dev message</a></dd>
|
||
</dl>
|
||
<hr class="docutils" />
|
||
<section id="contents">
|
||
<details><summary>Table of Contents</summary><ul class="simple">
|
||
<li><a class="reference internal" href="#abstract">Abstract</a></li>
|
||
<li><a class="reference internal" href="#rejection-notice">Rejection Notice</a></li>
|
||
<li><a class="reference internal" href="#rationale">Rationale</a><ul>
|
||
<li><a class="reference internal" href="#pep-543">PEP 543</a></li>
|
||
<li><a class="reference internal" href="#requests-pip-and-ensurepip">requests, pip and ensurepip</a></li>
|
||
<li><a class="reference internal" href="#other-benefits">Other Benefits</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a class="reference internal" href="#concerns">Concerns</a><ul>
|
||
<li><a class="reference internal" href="#what-about-old-python-2">What About Old Python 2?</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a class="reference internal" href="#changes">Changes</a></li>
|
||
<li><a class="reference internal" href="#links">Links</a></li>
|
||
<li><a class="reference internal" href="#discussions">Discussions</a></li>
|
||
<li><a class="reference internal" href="#copyright">Copyright</a></li>
|
||
</ul>
|
||
</details></section>
|
||
<section id="abstract">
|
||
<h2><a class="toc-backref" href="#abstract" role="doc-backlink">Abstract</a></h2>
|
||
<p>Backport the ssl.MemoryBIO and ssl.SSLObject classes from Python 3 to Python
|
||
2.7 to enhance the overall security of Python 2.7.</p>
|
||
</section>
|
||
<section id="rejection-notice">
|
||
<h2><a class="toc-backref" href="#rejection-notice" role="doc-backlink">Rejection Notice</a></h2>
|
||
<p>This PEP is rejected, see <a class="reference external" href="https://mail.python.org/pipermail/python-dev/2018-May/153760.html">Withdraw PEP 546? Backport ssl.MemoryBIO and
|
||
ssl.SSLObject to Python 2.7</a>
|
||
discussion for the rationale.</p>
|
||
</section>
|
||
<section id="rationale">
|
||
<h2><a class="toc-backref" href="#rationale" role="doc-backlink">Rationale</a></h2>
|
||
<p>While Python 2.7 is getting closer to its end-of-support date (scheduled for
|
||
2020), it is still used on production systems and the Python community is still
|
||
responsible for its security. This PEP will help facilitate the future adoption
|
||
of <a class="pep reference internal" href="../pep-0543/" title="PEP 543 – A Unified TLS API for Python">PEP 543</a> across all supported Python versions, which will improve security
|
||
for both Python 2 and Python 3 users.</p>
|
||
<p>This PEP does NOT propose a general exception for backporting new
|
||
features to Python 2.7 - every new feature proposed for backporting will
|
||
still need to be justified independently. In particular, it will need to
|
||
be explained why relying on an independently updated backport on the
|
||
Python Package Index instead is not an acceptable solution.</p>
|
||
<section id="pep-543">
|
||
<h3><a class="toc-backref" href="#pep-543" role="doc-backlink">PEP 543</a></h3>
|
||
<p><a class="pep reference internal" href="../pep-0543/" title="PEP 543 – A Unified TLS API for Python">PEP 543</a> defines a new TLS API for Python which would enhance Python
|
||
security by giving Python applications access to the native TLS implementations
|
||
on Windows and macOS, instead of using OpenSSL. A side effect is that it gives
|
||
access to the system trust store and certificates installed
|
||
locally by system administrators, enabling Python applications to use “company
|
||
certificates” without having to modify each application and so to correctly
|
||
validate TLS certificates (instead of having to ignore or bypass TLS
|
||
certificate validation).</p>
|
||
<p>For practical reasons, Cory Benfield would like to first implement an
|
||
I/O-less class similar to ssl.MemoryBIO and ssl.SSLObject for
|
||
<a class="pep reference internal" href="../pep-0543/" title="PEP 543 – A Unified TLS API for Python">PEP 543</a>, and to provide a second class based on the first one to use
|
||
sockets or file descriptors. This design would help to structure the code
|
||
to support more backends and simplify testing and auditing, as well as
|
||
implementation. Later, optimized classes using directly sockets or file
|
||
descriptors may be added for performance.</p>
|
||
<p>While <a class="pep reference internal" href="../pep-0543/" title="PEP 543 – A Unified TLS API for Python">PEP 543</a> defines an API, the PEP would only make sense if it
|
||
comes with at least one complete and good implementation. The first
|
||
implementation would ideally be based on the <code class="docutils literal notranslate"><span class="pre">ssl</span></code> module of the Python
|
||
standard library, as this is shipped to all users by default and can be used as
|
||
a fallback implementation in the absence of anything more targeted.</p>
|
||
<p>If this backport is not performed, the only baseline implementation that could
|
||
be used would be pyOpenSSL. This is problematic, however, because of the
|
||
interaction with pip, which is shipped with CPython on all supported versions.</p>
|
||
</section>
|
||
<section id="requests-pip-and-ensurepip">
|
||
<h3><a class="toc-backref" href="#requests-pip-and-ensurepip" role="doc-backlink">requests, pip and ensurepip</a></h3>
|
||
<p>There are plans afoot to look at moving Requests to a more event-loop-y
|
||
model. The Requests team does not feel at this time it is possible to abandon
|
||
support for Python 2.7, so doing so would require using either Twisted or
|
||
Tornado, or writing their own asynchronous abstraction.</p>
|
||
<p>For asynchronous code, a MemoryBIO provides substantial advantages over using a
|
||
wrapped socket. It reduces the amount of buffering that must be done, works on
|
||
IOCP-based reactors as well as select/poll based ones, and also greatly
|
||
simplifies the reactor and implementation code. For this reason, Requests is
|
||
disinclined to use a wrapped-socket-based implementation. In the absence of a
|
||
backport to Python 2.7, Requests is required to use the same solution that
|
||
Twisted does: namely, a mandatory dependency on <a class="reference external" href="https://pypi.python.org/pypi/pyOpenSSL">pyOpenSSL</a>.</p>
|
||
<p>The <a class="reference external" href="https://pip.pypa.io/">pip</a> program has to embed all its
|
||
dependencies for practical reasons: namely, that it cannot rely on any other
|
||
installation method being present. Since pip depends on requests, it means
|
||
that it would have to embed a copy of pyOpenSSL. That would imply substantial
|
||
usability pain to install pip. Currently, pip doesn’t support embedding
|
||
C extensions which must be compiled on each platform and so require a C
|
||
compiler.</p>
|
||
<p>Since Python 2.7.9, Python embeds a copy of pip both for default
|
||
installation and for use in virtual environments via the new <code class="docutils literal notranslate"><span class="pre">ensurepip</span></code>
|
||
module. If pip ends up bundling PyOpenSSL, then CPython will end up
|
||
bundling PyOpenSSL. Only backporting <code class="docutils literal notranslate"><span class="pre">ssl.MemoryBIO</span></code> and
|
||
<code class="docutils literal notranslate"><span class="pre">ssl.SSLObject</span></code> would avoid the need to embed pyOpenSSL, and would fix the
|
||
bootstrap issue (python -> ensurepip -> pip -> requests -> MemoryBIO).</p>
|
||
<p>This situation is less problematic than the barrier to adoption of <a class="pep reference internal" href="../pep-0543/" title="PEP 543 – A Unified TLS API for Python">PEP 543</a>, as
|
||
naturally Requests does not have to move to an event loop model before it drops
|
||
support for Python 2.7. However, it does make it painful for Requests (and pip)
|
||
to embrace both asyncio and the <code class="docutils literal notranslate"><span class="pre">async</span></code> and <code class="docutils literal notranslate"><span class="pre">await</span></code> keywords for as long as
|
||
it continues to support Python 2.</p>
|
||
</section>
|
||
<section id="other-benefits">
|
||
<h3><a class="toc-backref" href="#other-benefits" role="doc-backlink">Other Benefits</a></h3>
|
||
<p>Adopting this PEP would have other smaller ecosystem benefits. For example,
|
||
Twisted would be able to reduce its dependency on third-party C extensions.
|
||
Additionally, the PyOpenSSL development team would like to sunset the module,
|
||
and this backport would free them up to do so in a graceful manner without
|
||
leaving their users in the lurch.</p>
|
||
<p>Each of these fringe benefits, while small, also provides value to the wider
|
||
Python ecosystem.</p>
|
||
</section>
|
||
</section>
|
||
<section id="concerns">
|
||
<h2><a class="toc-backref" href="#concerns" role="doc-backlink">Concerns</a></h2>
|
||
<p>There are some concerns that people have about this backport.</p>
|
||
<section id="what-about-old-python-2">
|
||
<h3><a class="toc-backref" href="#what-about-old-python-2" role="doc-backlink">What About Old Python 2?</a></h3>
|
||
<p>A number of the Python 2 users in the world are not keeping pace with Python 2
|
||
releases. This is most usually because they are using LTS releases that are not
|
||
keeping pace with the minor releases of Python 2. These users would not be able
|
||
to use the MemoryBIO, and so projects concerned with Python 2 compatibility may
|
||
be unable to rely on the MemoryBIO being present on most of their user’s
|
||
systems.</p>
|
||
<p>This concern is reasonable. How critical it is depends on the likelihood of
|
||
current users of Python 2 migrating to Python 3, or just trying to use the most
|
||
recent Python 2 release. Put another way, at some point libraries will want to
|
||
drop Python 2 support: the question is only whether a significant majority of
|
||
their Python 2 users have moved to whatever Python 2 release contains this
|
||
backport before they do so.</p>
|
||
<p>Ultimately, the authors of this PEP believe that the burden of this backport is
|
||
sufficiently minimal to justify backporting despite this concern. If it turns
|
||
out that migration to newer 2.7 releases is too slow, then the value of the
|
||
work will be minimal, but if the migration to newer 2.7 releases is anything
|
||
like reasonable then there will be substantial value gained.</p>
|
||
</section>
|
||
</section>
|
||
<section id="changes">
|
||
<h2><a class="toc-backref" href="#changes" role="doc-backlink">Changes</a></h2>
|
||
<p>Add <code class="docutils literal notranslate"><span class="pre">MemoryBIO</span></code> and <code class="docutils literal notranslate"><span class="pre">SSLObject</span></code> classes to the <code class="docutils literal notranslate"><span class="pre">ssl</span></code> module of
|
||
Python 2.7.</p>
|
||
<p>The code will be backported and adapted from the master branch
|
||
(Python 3).</p>
|
||
<p>The backport also significantly reduced the size of the Python 2/Python
|
||
3 difference of the <code class="docutils literal notranslate"><span class="pre">_ssl</span></code> module, which make maintenance easier.</p>
|
||
</section>
|
||
<section id="links">
|
||
<h2><a class="toc-backref" href="#links" role="doc-backlink">Links</a></h2>
|
||
<ul class="simple">
|
||
<li><a class="pep reference internal" href="../pep-0543/" title="PEP 543 – A Unified TLS API for Python">PEP 543</a></li>
|
||
<li><a class="reference external" href="https://bugs.python.org/issue22559">[backport] ssl.MemoryBIO</a>: Implementation of this PEP
|
||
written by Alex Gaynor (first version written at October 2014)</li>
|
||
<li><a class="pep reference internal" href="../pep-0466/" title="PEP 466 – Network Security Enhancements for Python 2.7.x">PEP 466</a></li>
|
||
</ul>
|
||
</section>
|
||
<section id="discussions">
|
||
<h2><a class="toc-backref" href="#discussions" role="doc-backlink">Discussions</a></h2>
|
||
<ul class="simple">
|
||
<li><a class="reference external" href="https://mail.python.org/pipermail/python-dev/2017-May/147981.html">[Python-Dev] Backport ssl.MemoryBIO on Python 2.7?</a>
|
||
(May 2017)</li>
|
||
</ul>
|
||
</section>
|
||
<section id="copyright">
|
||
<h2><a class="toc-backref" href="#copyright" role="doc-backlink">Copyright</a></h2>
|
||
<p>This document has been placed in the public domain.</p>
|
||
</section>
|
||
</section>
|
||
<hr class="docutils" />
|
||
<p>Source: <a class="reference external" href="https://github.com/python/peps/blob/main/peps/pep-0546.rst">https://github.com/python/peps/blob/main/peps/pep-0546.rst</a></p>
|
||
<p>Last modified: <a class="reference external" href="https://github.com/python/peps/commits/main/peps/pep-0546.rst">2023-09-09 17:39:29 GMT</a></p>
|
||
|
||
</article>
|
||
<nav id="pep-sidebar">
|
||
<h2>Contents</h2>
|
||
<ul>
|
||
<li><a class="reference internal" href="#abstract">Abstract</a></li>
|
||
<li><a class="reference internal" href="#rejection-notice">Rejection Notice</a></li>
|
||
<li><a class="reference internal" href="#rationale">Rationale</a><ul>
|
||
<li><a class="reference internal" href="#pep-543">PEP 543</a></li>
|
||
<li><a class="reference internal" href="#requests-pip-and-ensurepip">requests, pip and ensurepip</a></li>
|
||
<li><a class="reference internal" href="#other-benefits">Other Benefits</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a class="reference internal" href="#concerns">Concerns</a><ul>
|
||
<li><a class="reference internal" href="#what-about-old-python-2">What About Old Python 2?</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a class="reference internal" href="#changes">Changes</a></li>
|
||
<li><a class="reference internal" href="#links">Links</a></li>
|
||
<li><a class="reference internal" href="#discussions">Discussions</a></li>
|
||
<li><a class="reference internal" href="#copyright">Copyright</a></li>
|
||
</ul>
|
||
|
||
<br>
|
||
<a id="source" href="https://github.com/python/peps/blob/main/peps/pep-0546.rst">Page Source (GitHub)</a>
|
||
</nav>
|
||
</section>
|
||
<script src="../_static/colour_scheme.js"></script>
|
||
<script src="../_static/wrap_tables.js"></script>
|
||
<script src="../_static/sticky_banner.js"></script>
|
||
</body>
|
||
</html> |