Opened 11 years ago

Closed 9 years ago

#4974 enhancement closed fixed (fixed)

Warn if pyOpenSSL <0.10 is used

Reported by: Jean-Paul Calderone Owned by: Jean-Paul Calderone
Priority: normal Milestone: totally automated release infrastructure
Component: core Keywords:
Cc: Branch: branches/deprecate-oldtls-4974
branch-diff, diff-cov, branch-cov, buildbot
Author: exarkun

Description

pyOpenSSL introduced memory BIO APIs. These let Twisted do SSL better - faster and with fewer bugs, and with more consistent cross-platform behavior. #4854 switched IReactorSSL implementations to prefer these APIs, but still fall back to the old socket BIO APIs. Still, we should encourage people to move forward. They will get better behavior and we will be able to drop some gross code.

So, if pyOpenSSL 0.10 or newer is not available on a system, we should indicate our preference for a newer version, probably with a UserWarning (unless anyone has a suggestion for something better).

Change History (15)

comment:1 Changed 10 years ago by Jean-Paul Calderone

See #5014 for what comes after this.

comment:2 Changed 10 years ago by Jean-Paul Calderone

Milestone: Twisted-11.1

comment:3 Changed 10 years ago by Jean-Paul Calderone

(In [31537]) Merge protocol-ssl-4854-6

Author: exarkun Reviewer: itamar, glyph, thijs Fixes: #4854 Refs: #4974 Refs: #5014 Refs: #4455

Add an implementation of IReactorSSL and ITLSTransport which uses the memory BIO APIs present in pyOpenSSL 0.10 and newer. This implementation will be preferred by all reactors if the pyOpenSSL dependency is satisfied, otherwise the old implementation will still be used.

This appears to have slightly better performance than the old implementation and should avoid bugs like #4455.

comment:4 Changed 10 years ago by Itamar Turner-Trauring

Milestone: Twisted-11.1

This is not going to happen in 11.1.

comment:5 Changed 9 years ago by Jean-Paul Calderone

Author: exarkun
Branch: branches/deprecate-oldtls-4974

(In [34341]) Branching to 'deprecate-oldtls-4974'

comment:6 Changed 9 years ago by Jean-Paul Calderone

Keywords: review added

Determining the version of a package available in RHEL appears to require a redhat network ID, which seems to cost money, and which I do not have. So RHEL loses out if they're still on an old version of pyOpenSSL, as far as I'm concerned.

comment:7 Changed 9 years ago by Jean-Paul Calderone

comment:8 Changed 9 years ago by Itamar Turner-Trauring

Keywords: review removed
Owner: set to Jean-Paul Calderone

Looks good, please merge.

comment:9 Changed 9 years ago by Jean-Paul Calderone

Resolution: fixed
Status: newclosed

(In [34360]) Merge deprecate-oldtls-4974

Author: exarkun Reviewer: itamar Fixes: #4974

Deprecate support for pyOpenSSL versions older than 0.10, which lack support for in-memory operation.

comment:10 Changed 9 years ago by Jean-Paul Calderone

Resolution: fixed
Status: closedreopened

(In [34361]) Revert r34360 - test suite regression

Reopens: #4974

Numerous issues on various platforms.

comment:11 Changed 9 years ago by Jean-Paul Calderone

(In [34363]) Skip the test if OpenSSL is missing

refs #4974

comment:12 Changed 9 years ago by Jean-Paul Calderone

Keywords: review added
Owner: Jean-Paul Calderone deleted
Status: reopenednew

Handled the two other cases that caused test failures:

  1. OpenSSL is not present at all and
  2. an old version of OpenSSL is present causing _oldtls to have been loaded already

Build results look better now, though the FreeBSD slave is offline at this time.

comment:13 Changed 9 years ago by Itamar Turner-Trauring

Keywords: review removed
Owner: set to Jean-Paul Calderone

Please (re)merge.

comment:14 Changed 9 years ago by Jean-Paul Calderone

Milestone: regular-releases

comment:15 Changed 9 years ago by Jean-Paul Calderone

Resolution: fixed
Status: newclosed

(In [34370]) Merge deprecate-oldtls-4974 (again)

Author: exarkun Reviewer: itamar Fixes: #4974

Deprecate support for pyOpenSSL versions older than 0.10, which lack support for in-memory operation.

Re-merge fixes shortcomings of the first attempt, which led to test failures when OpenSSL was not installed or when the installed version of OpenSSL was older than 0.10.

Note: See TracTickets for help on using tickets.