Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #71045

Re: Using ssl.wrap_socket() in chroot jail

Path csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!nntp.club.cc.cmu.edu!micro-heart-of-gold.mit.edu!bloom-beacon.mit.edu!bloom-beacon.mit.edu!panix!not-for-mail
From Grant Edwards <invalid@invalid.invalid>
Newsgroups comp.lang.python
Subject Re: Using ssl.wrap_socket() in chroot jail
Date Wed, 7 May 2014 18:51:19 +0000 (UTC)
Organization PANIX Public Access Internet and UNIX, NYC
Lines 32
Message-ID <lkdvb7$ddg$1@reader1.panix.com> (permalink)
References <lkdk9l$le3$1@reader1.panix.com> <mailman.9745.1399486314.18130.python-list@python.org>
NNTP-Posting-Host dsl.comtrol.com
X-Trace reader1.panix.com 1399488679 13744 64.122.56.22 (7 May 2014 18:51:19 GMT)
X-Complaints-To abuse@panix.com
NNTP-Posting-Date Wed, 7 May 2014 18:51:19 +0000 (UTC)
User-Agent slrn/1.0.1 (Linux)
Xref csiph.com comp.lang.python:71045

Show key headers only | View raw

On 2014-05-07, Christian Heimes <christian@python.org> wrote:
> On 07.05.2014 17:42, Grant Edwards wrote:
>> Let's say you have a server/daemon application written in python that
>> accepts incoming SSL connections.
>> 
>> You want to run that application in a chroot jail.  
>> 
>> The last thing you want in that jail is your SSL certificate private
>> key file.

[...]

> Python's SSL module can't load private key from memory. I wanted to
> implement that feature for 3.4 but the feature wasn't ready by then.
> You have multiple options:
>
> * create a SSLContext, then chroot()
> * use pyOpenSSL / cryptography als TLS library
> * don't do SSL in your daemon and let some proxy or load balancer do TLS
>   offloading, e.g. NGinx or Apache + mod_proxy

Unfortunately, the actual SSL wrapping stuff isn't being done in my
code.  It's being done by the secure-smtpd module, which will pass
whatever cert/key params I give it to ssl.wrap_socket().  That still
leaves the third option (e.g. stunnel).

Thanks.

-- 
Grant Edwards               grant.b.edwards        Yow! I'm wearing PAMPERS!!
                                  at               
                              gmail.com

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 15:42 +0000
  Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 02:04 +1000
  Re: Using ssl.wrap_socket() in chroot jail Christian Heimes <christian@python.org> - 2014-05-07 20:11 +0200
    Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 18:51 +0000
      Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 12:12 +1000
        Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-08 13:31 +0000

csiph-web