Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #71037

Re: Using ssl.wrap_socket() in chroot jail

References <lkdk9l$le3$1@reader1.panix.com>
Date 2014-05-08 02:04 +1000
Subject Re: Using ssl.wrap_socket() in chroot jail
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.9743.1399478688.18130.python-list@python.org> (permalink)

Show all headers | View raw

On Thu, May 8, 2014 at 1:42 AM, Grant Edwards <invalid@invalid.invalid> wrote:
> But, it appears the ssl module won't accept SSL certificates and keys
> as data strings, or as stringio file objects.  It will only accept a
> filename, and it has to open/read that file every time a connection is
> accepted.
>
> So how do you avoid having your certificate key file sitting, readable,
> in the chroot jail?

I was going to say "if all else fails, monkey-patch", but the source
code shows that the Python ssl module just passes the file name
straight on to _ssl... and, what's more, that _ssl.c just passes it
right along to SSL_CTX_use_PrivateKey_file which I presume is part of
OpenSSL.

Is it possible for you to initialize an SSLContext before chrooting,
and just hold that in memory? You can then use its wrap_socket instead
of the default wrap_socket. According to the docstring for SSLContext,
it can hold "... possibly a private key", but I don't see a parameter
for that; that's probably just indicative of my lack of experience
with Python's ssl module, though.

If you invoke Python entirely within the chroot jail, though, I don't
know of a way around it.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 15:42 +0000
  Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 02:04 +1000
  Re: Using ssl.wrap_socket() in chroot jail Christian Heimes <christian@python.org> - 2014-05-07 20:11 +0200
    Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 18:51 +0000
      Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 12:12 +1000
        Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-08 13:31 +0000

csiph-web