Path: csiph.com!usenet.pasdenom.info!dedibox.gegeweb.org!gegeweb.eu!nntpfeed.proxad.net!proxad.net!feeder1-2.proxad.net!usenet-fr.net!nerim.net!novso.com!newsfeed.xs4all.nl!newsfeed2a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.009 X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'initialize': 0.07; 'subject:skip:s 10': 0.07; '"if': 0.09; 'parameter': 0.09; 'cc:addr:python-list': 0.11; 'python': 0.11; 'docstring': 0.16; 'filename,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'objects.': 0.16; 'presume': 0.16; 'stringio': 0.16; 'wrote:': 0.18; 'module': 0.19; "python's": 0.19; 'thu,': 0.19; 'appears': 0.22; 'accepted.': 0.22; 'cc:addr:python.org': 0.22; 'module,': 0.24; 'passes': 0.24; 'ssl': 0.24; 'cc:2**0': 0.24; 'source': 0.25; 'possibly': 0.26; 'header:In-Reply-To:1': 0.27; 'am,': 0.29; 'message-id:@mail.gmail.com': 0.30; 'along': 0.30; 'code': 0.31; 'invoke': 0.31; 'keys': 0.31; 'though.': 0.31; 'file': 0.32; 'probably': 0.32; 'entirely': 0.33; 'connection': 0.35; 'more,': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'shows': 0.36; 'possible': 0.36; 'though,': 0.39; 'according': 0.40; 'how': 0.40; 'name': 0.63; 'within': 0.65; 'default': 0.69; 'lack': 0.78; 'fails,': 0.84; 'subject:Using': 0.84; 'certificates': 0.91; 'edwards': 0.91; 'to:none': 0.92 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=aPiPn56dB9EkYxVMquvvR9Fwi6IhhKA/9et5pwodOAw=; b=UJ8vLxSlDIW7PDWUf6bT7Xy/Vhyqh6yKtT0bgZb5ELBC0rwnLglp2oteolWGYSl54E UY7Yqr4kYEH9fr7D1V/JloCJAfDPneHpyCQiH1VgP8R9VDNTTchpRqL9+NZR35tTrSWo cOfJIwfLN9/qqn1PKaO2vGLwLeVfclfPBmilaouuxSRv67DwVjQzCHeHloz4FammLL/j FqhNfFU64NP9o2Vw77lDyMDh/m6sYZ0I9ew4V5T6A4u1dzbVYEdCeg+Nz8EFSbePnQpX GnVVAFiM/ijDNQkI4VWKZCwQhPIxBguWy/ssMqFOhewPzYN74sOkP43a5R7CHVGSnkTY gRaw== MIME-Version: 1.0 X-Received: by 10.52.156.39 with SMTP id wb7mr832634vdb.97.1399478685465; Wed, 07 May 2014 09:04:45 -0700 (PDT) In-Reply-To: References: Date: Thu, 8 May 2014 02:04:45 +1000 Subject: Re: Using ssl.wrap_socket() in chroot jail From: Chris Angelico Cc: "python-list@python.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 26 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1399478688 news.xs4all.nl 2854 [2001:888:2000:d::a6]:58738 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:71037 On Thu, May 8, 2014 at 1:42 AM, Grant Edwards wrote: > But, it appears the ssl module won't accept SSL certificates and keys > as data strings, or as stringio file objects. It will only accept a > filename, and it has to open/read that file every time a connection is > accepted. > > So how do you avoid having your certificate key file sitting, readable, > in the chroot jail? I was going to say "if all else fails, monkey-patch", but the source code shows that the Python ssl module just passes the file name straight on to _ssl... and, what's more, that _ssl.c just passes it right along to SSL_CTX_use_PrivateKey_file which I presume is part of OpenSSL. Is it possible for you to initialize an SSLContext before chrooting, and just hold that in memory? You can then use its wrap_socket instead of the default wrap_socket. According to the docstring for SSLContext, it can hold "... possibly a private key", but I don't see a parameter for that; that's probably just indicative of my lack of experience with Python's ssl module, though. If you invoke Python entirely within the chroot jail, though, I don't know of a way around it. ChrisA