Comments (17)
Hmm, PyOpenSSL doesn't even support NPN, let alone ALPN. Maybe worth an enhancement?
from hyper.
I filed this: pyca/pyopenssl#79
from hyper.
Excellent! Thanks for that! I'll see how hard it's likely to be to implement this in PyOpenSSL. =)
from hyper.
I'm not sure how much this helps, but I've forked the Python 2.7.6 ssl
module as ssl2
and backported NPN support from 3.3. It is likely buggy, but hey, apparently hyper is too :). Let me know if you find it useful; if it gets traction, I'll certainly maintain it, and probably backport more features.
from hyper.
There's a crossover between this and PyOpenSSL. I prefer the interface from the stdlib's ssl
module, but PyOpenSSL has the advantage of working on non-CPython interpreters. There's an open PyOpenSSL issue (pyca/pyopenssl#79) that's had some work done so far. I'm honestly not sure which is the better route to go. Thanks for the backport though! (Side note: are you aware of the draft PEP466? Might be worth letting Nick Coghlan know that you've already done some of this work. =) )
from hyper.
I was not aware of PEP466, and let me assure you, it's a big relief. Since the changes to be backported are evidently the entire ssl
module modulo a few functions, I doubt my little ssl2
module will be much use (in particular, Python 3.4 hangs the NPN-related functionality off the new SSLContext
class, which I imagine will be copied wholesale and then patched up to conform to the 2.x CPython API).
Python 3.5 is still in development, although I'm not sure if the new-feature window is still open; perhaps I'll implement ALPN support therein. In the meantime, I suppose a compatibility layer could be written that exposes PyOpenSSL as a Python 3.4 ssl
-like API, along with dependency injection. I'm not sure which way to go either.
from hyper.
Ah, I now realize hyper only supports Python 3.3+. What are your feelings on supporting 2.7 as well?
from hyper.
I've had this discussion with Nick and Donald, and the basic gist is that adding ALPN in 3.5 won't get it backported to 2.7.
As for supporting 2.7, I'd like to do it, but it requires either a backport of the ssl
module (aka PEP 466) or moving to PyOpenSSL (being progressed above). It also requires a bit of a rewrite, I'm depending on some fun 3.3 things.
from hyper.
This is no longer a WIBNI, it's mandatory, because ALPN is mandatory in the spec.
This is a gigantic pain in the ass. Some options:
- Wait for OpenSSL to support ALPN. 1.0.2 is in beta and has support, but I have no idea when it's scheduled for release. I'll then need to plumb it through cryptography and PyOpenSSL, which based on prior experience will take a few months. PyOpenSSL will then become mandatory for all currently-supported platforms. This will also require that basically everybody upgrade their copy of OpenSSL, which is going to be really painful on Windows. Maybe I bite the bullet and bundle a copy?
- Switch to GnuTLS, which appears to already contain support. I haven't found any Python bindings that support ALPN though, so I'll either have to contribute them myself or create a new set of bindings (who has the time?). I then also require that every platform download and compile the new bindings and have a copy of GnuTLS, making this even more of a pain in the ass than the OpenSSL plan.
- No idea. Seriously, these seem like the only two.
What a nightmare.
from hyper.
+1 for openssl. develop wth beta now, check python mailing list / issues wrt. exposing openssl features to python-land.
from hyper.
I'll then need to plumb it through cryptography and PyOpenSSL, which based on prior experience will take a few months.
We're planning 0.5 to be out in the next week or two so if there's any new bindings you need for ALPN now's a good time to get them in :)
This will also require that basically everybody upgrade their copy of OpenSSL, which is going to be really painful on Windows. Maybe I bite the bullet and bundle a copy?
We are ever so slowly coming round to the idea that maybe we should just statically link (or at least bundle) OpenSSL for Windows in cryptography. Seems a bit mad for you to have to do that upstream and you aren't the first downstream dependency who's faced this issue.
from hyper.
@public What's the position of cryptography
when it comes to adding bindings for things that are only in beta OpenSSL?
from hyper.
The other option is NSS, which also appears to have Python bindings.
from hyper.
@Lukasa We test against OpenSSL "1.0.2" https://cryptography.io/en/latest/installation/?highlight=openssl#supported-platforms so I think we'd probably be OK with that.
from hyper.
This support will be available in Python 3.5 and Python 2.7.10.
from hyper.
PyOpenSSL is now also unblocked!
from hyper.
Hurrah, completed!
from hyper.
Related Issues (20)
- Ping does not work correctly HOT 3
- Edit on github link on RTD broken.
- Transfer of maintenance HOT 3
- HTTP20Adapter sends extra headers ?? HOT 20
- How to control ssl context in a HTTP20Adapter HOT 1
- hyper.contrib.HTTP20Adapter with requests.session not working on python 2.7
- Upgrade from HTTP/1.1. to HTTP2 not working HOT 2
- Could you please make MAX_CHUNK configurable? HOT 1
- Upgrade to the latest h2 HOT 2
- How resolve DNS to a specific IP?
- HTTP11Connection does not use http/1.1 protocol HOT 1
- hyper hangs while POSTing to Apple APNS servers HOT 2
- Forcing Cleartext HTTP2 Without Upgrade Mechanism HOT 3
- How can I add query parameters when using class HTTP20Connection?
- Python deprecation warnings: collections, imp, logging.warn
- basestring erroneously ignores unicode in Python2.7
- Client certificates?
- Retain connection in HTTP/2 using hyper to avoid authentication for every request
- HTTP20Connection.request has no mechanism to send duplicate headers HOT 3
- The orders of sending packages in Debug mode and Run mode are different.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hyper.