Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!nntp.club.cc.cmu.edu!micro-heart-of-gold.mit.edu!bloom-beacon.mit.edu!bloom-beacon.mit.edu!panix!not-for-mail
From: Grant Edwards <invalid@invalid.invalid>
Newsgroups: comp.lang.python
Subject: Re: Using ssl.wrap_socket() in chroot jail
Date: Wed, 7 May 2014 18:51:19 +0000 (UTC)
Organization: PANIX Public Access Internet and UNIX, NYC
Lines: 32
Message-ID: <lkdvb7$ddg$1@reader1.panix.com>
References: <lkdk9l$le3$1@reader1.panix.com> <mailman.9745.1399486314.18130.python-list@python.org>
NNTP-Posting-Host: dsl.comtrol.com
X-Trace: reader1.panix.com 1399488679 13744 64.122.56.22 (7 May 2014 18:51:19 GMT)
X-Complaints-To: abuse@panix.com
NNTP-Posting-Date: Wed, 7 May 2014 18:51:19 +0000 (UTC)
User-Agent: slrn/1.0.1 (Linux)
Xref: csiph.com comp.lang.python:71045

On 2014-05-07, Christian Heimes <christian@python.org> wrote:
> On 07.05.2014 17:42, Grant Edwards wrote:
>> Let's say you have a server/daemon application written in python that
>> accepts incoming SSL connections.
>> 
>> You want to run that application in a chroot jail.  
>> 
>> The last thing you want in that jail is your SSL certificate private
>> key file.

[...]

> Python's SSL module can't load private key from memory. I wanted to
> implement that feature for 3.4 but the feature wasn't ready by then.
> You have multiple options:
>
> * create a SSLContext, then chroot()
> * use pyOpenSSL / cryptography als TLS library
> * don't do SSL in your daemon and let some proxy or load balancer do TLS
>   offloading, e.g. NGinx or Apache + mod_proxy

Unfortunately, the actual SSL wrapping stuff isn't being done in my
code.  It's being done by the secure-smtpd module, which will pass
whatever cert/key params I give it to ssl.wrap_socket().  That still
leaves the third option (e.g. stunnel).

Thanks.

-- 
Grant Edwards               grant.b.edwards        Yow! I'm wearing PAMPERS!!
                                  at               
                              gmail.com