Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-4491

Add option to prefer stdlib ssl over pyopenssl

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Python Drivers

      Context

      Add option to prefer stdlib ssl over pyopenssl. Currently pymongo always attempts to use pyopenssl when it's installed which is not always what the user wants. See https://github.com/mongodb/mongo-python-driver/pull/1666 :

      Another problem remains: if an older version of PyOpenSSL is already installed by anything else than pip install "pymongo[ocsp]", the ssl_support.py still defaults to using pymongo.pyopenssl_context over pymongo.ssl_context (standard library SSL). Instead of blindly importing pyOpenSSL, ssl_support.py should be able to check whether the installed version meets the requirements. Any suggestions on how this should be checked?

      Definition of done

      Perhaps something like:

      MongoClient(tlsLib="stdlib") # Only uses ssl module
      MongoClient(tlsLib="pyopenssl") # Only uses pyopenssl module
      MongoClient(tlsLib="pyopenssl,stdlib")  # Uses pyopenssl is installed, falls back to stdlib ssl.
      

      Alternatively we could make this configurable via an environment variable:

      $ PYMONGO_TLS_LIB=ssl python app.py
      

      The API should be able to accommodate a future where we add a new TLS implementation using another library.

      Pitfalls

      Currently, the fact that we use pyopenssl is just an implementation detail but after this change it will leak into the API.

            Assignee:
            Unassigned Unassigned
            Reporter:
            shane.harvey@mongodb.com Shane Harvey
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: