Skip to content

PEP748 tlslib - configuration#4958

Open
Julien00859 wants to merge 5 commits intopython:mainfrom
Julien00859:Julien00859/tlslib-config
Open

PEP748 tlslib - configuration#4958
Julien00859 wants to merge 5 commits intopython:mainfrom
Julien00859:Julien00859/tlslib-config

Conversation

@Julien00859
Copy link
Copy Markdown

@Julien00859 Julien00859 commented May 6, 2026

First time contributor 🎉

A few suggestions to make the configuration a bit more explicit. I decided to leave most of the attributes undocumented as they are pretty explicit to me, and to instead only document the few attributes that are different from the client and the server.

PEP 748: ConfigurationError is only for unsupported features

Discussed at trailofbits/tlslib.py#72 (comment)

ConfigurationError was intended for when specific implementations don't support certain behavior (e.g. adding a certificate by identifier). I think ValueError should be fine, probably raised when validating the configuration. ~Joop

PEP 748: certificate_chain is mandatory server-side

Discussed at https://discuss.python.org/t/pre-pep-discussion-revival-of-pep-543-a-unified-tls-api-for-python/51263/75

This makes sense to me. We can allow empty server certificates in the insecure module. ~Joop

PEP 748: disambiguate config trust_store=None

Discussed at https://discuss.python.org/t/pre-pep-discussion-revival-of-pep-543-a-unified-tls-api-for-python/51263/78

I agree, this is better. ~Joop

@Julien00859
PEP 748: ConfigurationError typo
08b69e0
@Julien00859
PEP 748: ConfigurationError is only for unsupported features
b3229ec
@Julien00859
PEP 748: materialize the server configuration
6d41ae7 
Ease reading the diff of the next commits.
@Julien00859
PEP 748: disambiguate config trust_store=None
6e61445 
Client-side `trust_store=None` means `TrustStore.system()` but
server-side it means "skip client authentication". One could think it
means "skip server authentication" when used client-side, so let's not
support `None` at all client-side and instead default to
`TrustStore.system()`.
@Julien00859
PEP 748: certificate_chain is mandatory server-side
ea0b73f 
TLS 1.3 and secure TLS 1.2 both require a certificate and private key
server-side. Making the parameter mandatory makes it explicit that one
is required. It still is optional client-side.
@Julien00859 Julien00859 requested a review from ncoghlan as a code owner May 6, 2026 22:03
@python-cla-bot
Copy link
Copy Markdown

python-cla-bot Bot commented May 6, 2026
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@read-the-docs-community
Copy link
Copy Markdown

read-the-docs-community Bot commented May 6, 2026

Documentation build overview

📚 pep-previews | 🛠️ Build #32573746 | 📁 Comparing ea0b73f against latest (c093d5f)

  🔍 Preview build  

709 files changed · ± 709 modified

± Modified

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ncoghlan ncoghlan Awaiting requested review from ncoghlan ncoghlan is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Julien00859