Conversation
There was a problem hiding this comment.
ssl.create_default_context() does a little bit more than his fallback version, like compression disable and check hostnames.
There was a problem hiding this comment.
I just borrowed the fallback code from selector_events.py:_SelectorSslTransport.__init__: what's good for asyncio is good for aiohttp I guess.
There was a problem hiding this comment.
Hm..while it sounds good I wonder it also good if aiohttp will uncanny make client/server affected to CRIME attack depending on under which Python version it runs. I think it's wise to synchronize behaviour for 3.3 with 3.4.
There was a problem hiding this comment.
Python 3.3 has no ssl.create_default_context() function, and I see no reasons to avoid it if the function is present.
There was a problem hiding this comment.
Well, all the need is to sync the behavior. Currently it's different from the fallback case by lines 413, 418 and 437 which gives us next additional code:
import _ssl
sslcontext.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0)
sslcontext.check_hostname = True
sslcontext.load_default_certs('1.3.6.1.5.5.7.3.1')
There was a problem hiding this comment.
Sounds good, except I like to try use ssl.Purpose first if we run on Python 3.4 (Python 3.3 has not Purpose IMHO).
There was a problem hiding this comment.
I didn't found ssl.Purpose for 3.3 quickly, so just picked raw enum value instead. Might worth to add some comment about where it comes from.
|
The problem is: we have no tests for disabling SSLv{bad} etc. |
aiohttp/connector.py
Outdated
There was a problem hiding this comment.
i think it should be module global variable
|
i remember there was a way how to get free cert for open source projects |
|
lgtm |
Add ssl_context to TCPConnector
|
@asvetlov you should move "hasattr(ssl, 'create_default_context')" code to module level |
|
ok, will do. Thanks. |
|
Done in master. |
|
No On Monday, December 29, 2014, Andrew Svetlov notifications@github.com
|
See #206 for PR reasons