Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!nntp.club.cc.cmu.edu!micro-heart-of-gold.mit.edu!bloom-beacon.mit.edu!bloom-beacon.mit.edu!panix!not-for-mail
From: Grant Edwards <invalid@invalid.invalid>
Newsgroups: comp.lang.python
Subject: Using ssl.wrap_socket() in chroot jail
Date: Wed, 7 May 2014 15:42:45 +0000 (UTC)
Organization: PANIX Public Access Internet and UNIX, NYC
Lines: 20
Message-ID: <lkdk9l$le3$1@reader1.panix.com>
NNTP-Posting-Host: dsl.comtrol.com
X-Trace: reader1.panix.com 1399477365 21955 64.122.56.22 (7 May 2014 15:42:45 GMT)
X-Complaints-To: abuse@panix.com
NNTP-Posting-Date: Wed, 7 May 2014 15:42:45 +0000 (UTC)
User-Agent: slrn/1.0.1 (Linux)
Xref: csiph.com comp.lang.python:71035

Let's say you have a server/daemon application written in python that
accepts incoming SSL connections.

You want to run that application in a chroot jail.  

The last thing you want in that jail is your SSL certificate private
key file.

But, it appears the ssl module won't accept SSL certificates and keys
as data strings, or as stringio file objects.  It will only accept a
filename, and it has to open/read that file every time a connection is
accepted.

So how do you avoid having your certificate key file sitting, readable,
in the chroot jail?

-- 
Grant Edwards               grant.b.edwards        Yow! An Italian is COMBING
                                  at               his hair in suburban DES
                              gmail.com            MOINES!