PyCon 2016 in Portland, Or
hills next to breadcrumb illustration

Saturday 1:20 p.m.–4:40 p.m.

The Hitchhiker's Guide to TLS & SSL

lvh, Cory Benfield, Glyph, Hynek Schlawack, Paul Kehrer

Audience level:


Since the SSL/TLS vulnerabilities in recent years, the landscape has improved considerably. However, there’s still a lot of knowledge necessary to use TLS in Python properly, and a lot of useful information for setting up and debugging TLS stacks that’s hard to come by. Join the makers of PyOpenSSL, the standard library’s ssl module, requests/urllib3, Twisted, the former maintainer of a CA, and


This tutorial will help you deploy, test and maintain TLS stacks responsibly using tools that are popular in the Python ecosystem. We’ll provide everyone with a baseline understanding of what makes TLS tick, then give you hands-on experience with real TLS clients and servers common in the Python ecosystem. Once we’ve covered those basics, we’ll take a deeper dive into more advanced TLS features and configurations, and how you can use them to improve your systems. This includes: - running your own CA, - certificate pinning, - using client certificates, to authenticate both peers of a TLS connection, - SNI to let you run multiple TLS servers on the same endpoint, - NPN/ALPN which let you efficiently negotiate protocols to reduce latency. Our group includes a good cross-section of the people who are helping to make TLS available and usable in the Python ecosystem. This includes the maintainer of PyOpenSSL, several founding members of the Python Cryptographic Authority (which builds, amongst other things, the foundation for tools like PyOpenSSL), the guy who TLS’d PyPI downloads, a cryptographer, two core contributors to the popular requests library, and several Twisted core contributors.

Student Handout

No handouts have been provided yet for this tutorial