-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ASGI TLS extension #466
Comments
The spec was contributed by someone else so I'm afraid I can't speak to the intent, nor did I implement it. What's the specific technical problem - client_cert_name can't be generated without a list of IDs from some external source? |
Yes. It looks like I can use Just to confirm, is my understanding correct @synodriver? (they implemented this extension on |
A similar issue with this extension: The extension specifies that the IMHO, it would be a lot simpler if the |
For the |
Author of encode/uvicorn#1119 here. When implementing the specification as outlined by this project I encountered several issues:
Are any of the above technically impossible? No. Are they reasonable? In my opinion no. It is my opinion that the ASGI TLS spec should function as a thin wrapper on the Python standard library SSL module. Although I do see the intention in making the formats for these fields as generic as possible, in reality the only way to accomplish this is to reinvent the wheel, requiring the implementation of several other TLS related specifications or to pull in a 3rd party dependency which has already done that. If I were to have my way, I would trim the ASGI TLS spec down to only a few fields. Those fields would contain the DER/PEM encoded certificate/certificate-chain as available from the Python SSL module. ANY AND ALL further extraction of information such as DN, TLS version, Cipher Suite, etc. should be left as an exercise for the end user application to implement as needed. Essentially all we should be doing with this spec is making a limited set of |
I'm happy to consider PRs to modify the TLS spec - obviously we'd have to work out who has implemented it as-is, since making fields optional for servers to provide is technically backwards-incompatible. |
I think we only have nonecorn, and... I think @pquentin also forked hypercorn to add this extension? I'm not sure... |
@Kludex I have not implemented the full extension, only @mdgilene Regarding certificate chains, note that it's possible with an undocumented API with Python 3.10+ (https://sethmlarson.dev/experimental-python-3.10-apis-and-trust-stores) and there will be an official way to do it in Python 3.13: python/cpython#109109 |
I've implemented the ASGI TLS Extension partially for hypercorn (see pgjones/hypercorn#62 (comment)) and here are my thoughts on the specification:
Note that the ASGI TLS Extension is mandatory with two main use cases:
Unfortunately at this time, very few ASGI web servers implement the ASGI TLS Extension. |
As a developer using the extension (and with a lot of experience from the Python |
Here is how the specification could look like with the changes above: grydz/asgiref@main...fix-asgi-tls-ext. |
That would be easier to implement. 👍 |
There's a PR on uvicorn to add this extension: encode/uvicorn#1119
And I have a question... The author said we either need to maintain the list that is maintained by IANA, or use
cryptography
as dependency.On the spec, this is written:
As a maintainer of uvicorn, I don't really want to generate the list as the PR is doing, neither add
cryptography
as dependency. Suggestions? Was this spec created by theory, or it was actually implemented when it was written?The text was updated successfully, but these errors were encountered: