Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #71037
| Path | csiph.com!usenet.pasdenom.info!dedibox.gegeweb.org!gegeweb.eu!nntpfeed.proxad.net!proxad.net!feeder1-2.proxad.net!usenet-fr.net!nerim.net!novso.com!newsfeed.xs4all.nl!newsfeed2a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.009 |
| X-Spam-Evidence | '*H*': 0.98; '*S*': 0.00; 'initialize': 0.07; 'subject:skip:s 10': 0.07; '"if': 0.09; 'parameter': 0.09; 'cc:addr:python-list': 0.11; 'python': 0.11; 'docstring': 0.16; 'filename,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'objects.': 0.16; 'presume': 0.16; 'stringio': 0.16; 'wrote:': 0.18; 'module': 0.19; "python's": 0.19; 'thu,': 0.19; 'appears': 0.22; 'accepted.': 0.22; 'cc:addr:python.org': 0.22; 'module,': 0.24; 'passes': 0.24; 'ssl': 0.24; 'cc:2**0': 0.24; 'source': 0.25; 'possibly': 0.26; 'header:In-Reply-To:1': 0.27; 'am,': 0.29; 'message-id:@mail.gmail.com': 0.30; 'along': 0.30; 'code': 0.31; 'invoke': 0.31; 'keys': 0.31; 'though.': 0.31; 'file': 0.32; 'probably': 0.32; 'entirely': 0.33; 'connection': 0.35; 'more,': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'shows': 0.36; 'possible': 0.36; 'though,': 0.39; 'according': 0.40; 'how': 0.40; 'name': 0.63; 'within': 0.65; 'default': 0.69; 'lack': 0.78; 'fails,': 0.84; 'subject:Using': 0.84; 'certificates': 0.91; 'edwards': 0.91; 'to:none': 0.92 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=aPiPn56dB9EkYxVMquvvR9Fwi6IhhKA/9et5pwodOAw=; b=UJ8vLxSlDIW7PDWUf6bT7Xy/Vhyqh6yKtT0bgZb5ELBC0rwnLglp2oteolWGYSl54E UY7Yqr4kYEH9fr7D1V/JloCJAfDPneHpyCQiH1VgP8R9VDNTTchpRqL9+NZR35tTrSWo cOfJIwfLN9/qqn1PKaO2vGLwLeVfclfPBmilaouuxSRv67DwVjQzCHeHloz4FammLL/j FqhNfFU64NP9o2Vw77lDyMDh/m6sYZ0I9ew4V5T6A4u1dzbVYEdCeg+Nz8EFSbePnQpX GnVVAFiM/ijDNQkI4VWKZCwQhPIxBguWy/ssMqFOhewPzYN74sOkP43a5R7CHVGSnkTY gRaw== |
| MIME-Version | 1.0 |
| X-Received | by 10.52.156.39 with SMTP id wb7mr832634vdb.97.1399478685465; Wed, 07 May 2014 09:04:45 -0700 (PDT) |
| In-Reply-To | <lkdk9l$le3$1@reader1.panix.com> |
| References | <lkdk9l$le3$1@reader1.panix.com> |
| Date | Thu, 8 May 2014 02:04:45 +1000 |
| Subject | Re: Using ssl.wrap_socket() in chroot jail |
| From | Chris Angelico <rosuav@gmail.com> |
| Cc | "python-list@python.org" <python-list@python.org> |
| Content-Type | text/plain; charset=UTF-8 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.9743.1399478688.18130.python-list@python.org> (permalink) |
| Lines | 26 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1399478688 news.xs4all.nl 2854 [2001:888:2000:d::a6]:58738 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:71037 |
Show key headers only | View raw
On Thu, May 8, 2014 at 1:42 AM, Grant Edwards <invalid@invalid.invalid> wrote: > But, it appears the ssl module won't accept SSL certificates and keys > as data strings, or as stringio file objects. It will only accept a > filename, and it has to open/read that file every time a connection is > accepted. > > So how do you avoid having your certificate key file sitting, readable, > in the chroot jail? I was going to say "if all else fails, monkey-patch", but the source code shows that the Python ssl module just passes the file name straight on to _ssl... and, what's more, that _ssl.c just passes it right along to SSL_CTX_use_PrivateKey_file which I presume is part of OpenSSL. Is it possible for you to initialize an SSLContext before chrooting, and just hold that in memory? You can then use its wrap_socket instead of the default wrap_socket. According to the docstring for SSLContext, it can hold "... possibly a private key", but I don't see a parameter for that; that's probably just indicative of my lack of experience with Python's ssl module, though. If you invoke Python entirely within the chroot jail, though, I don't know of a way around it. ChrisA
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 15:42 +0000
Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 02:04 +1000
Re: Using ssl.wrap_socket() in chroot jail Christian Heimes <christian@python.org> - 2014-05-07 20:11 +0200
Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 18:51 +0000
Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 12:12 +1000
Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-08 13:31 +0000
csiph-web