Hans-Christoph Steiner added the comment:
This general idea sounds nice to have, I hope it can be included.
`ctx._call_with_ctypes("SSL_CTX_set_ciphersuites"...` also sounds totally
workable to me, if that has the best security profile.
Defense in depth is important, but it is not a reason
Steve Dower added the comment:
There's a working POC out there for modifying tuple elements that relies on the
fact that id() returns real memory addresses, so I don't see it as a harmless
thing. Also, Rust is only worrying about code that's put into its compiler,
whereas Python has to worry
Nathaniel Smith added the comment:
Python's 'id' function exposes raw memory addresses constantly. As long as
they're just integers, they can't do much harm.
(In Rust, taking a pointer to a random object is considered totally safe, can
be done anywhere. It's *dereferencing* a pointer where y
Christian Heimes added the comment:
Funny, I was looking into the same issue with CDLL(). :)
The trick with ssl._ssl.__file__ may even break if users change
sys.setdlopenflag() from RTLD_GLOBAL to RTLD_LOCAL. Static linking will also
influence which symbols are available.
Python/dynload_shl
Christian Heimes added the comment:
I don't want to import ctypes from the ssl module code.
PyCapsule could be a solution for the problem. Users would have to call
PyCapsule_Import("_ssl.capsule") and PyCapsule_GetPointer() to access a struct
with additional methods. It's a bit more work to
Nathaniel Smith added the comment:
Funny, I was actually looking at this a bit last week, because I was trying to
figure out if I could trick `ssl` into doing DTLS...
The two big problems I ran into are:
- for DTLS you need to instantiate the SSLContext with PROTOCOL_DTLS, and idk
how you c
Steve Dower added the comment:
Could we have the address exposed in a way that can only be passed back into
ctypes? Or alternatively, doesn't function if ctypes is missing?
I don't like offering ways to get real memory addresses, especially for
interesting objects. At the same time, I see th
New submission from Christian Heimes :
Python's ssl module exposes a limited and opinionated set of knobs to tune
OpenSSL's behavior. Each new setter, getter, or function must be carefully
design, tested, and documented. For each feature OpenSSL's C API must be
converted into a Pythonic, self
