-
Type: Improvement
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Python Drivers
Context
Add option to prefer stdlib ssl over pyopenssl. Currently pymongo always attempts to use pyopenssl when it's installed which is not always what the user wants. See https://github.com/mongodb/mongo-python-driver/pull/1666 :
Another problem remains: if an older version of PyOpenSSL is already installed by anything else than pip install "pymongo[ocsp]", the ssl_support.py still defaults to using pymongo.pyopenssl_context over pymongo.ssl_context (standard library SSL). Instead of blindly importing pyOpenSSL, ssl_support.py should be able to check whether the installed version meets the requirements. Any suggestions on how this should be checked?
Definition of done
Perhaps something like:
MongoClient(tlsLib="stdlib") # Only uses ssl module MongoClient(tlsLib="pyopenssl") # Only uses pyopenssl module MongoClient(tlsLib="pyopenssl,stdlib") # Uses pyopenssl is installed, falls back to stdlib ssl.
Alternatively we could make this configurable via an environment variable:
$ PYMONGO_TLS_LIB=ssl python app.py
The API should be able to accommodate a future where we add a new TLS implementation using another library.
Pitfalls
Currently, the fact that we use pyopenssl is just an implementation detail but after this change it will leak into the API.
- is related to
-
PYTHON-4492 Fallback to stdlib ssl when pyopenssl import fails with AttributeError
- Closed
- related to
-
PYTHON-2040 Support PyOpenSSL
- Closed