Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #71043

Re: Using ssl.wrap_socket() in chroot jail

Show all headers | View raw

On 07.05.2014 17:42, Grant Edwards wrote:
> Let's say you have a server/daemon application written in python that
> accepts incoming SSL connections.
> 
> You want to run that application in a chroot jail.  
> 
> The last thing you want in that jail is your SSL certificate private
> key file.
> 
> But, it appears the ssl module won't accept SSL certificates and keys
> as data strings, or as stringio file objects.  It will only accept a
> filename, and it has to open/read that file every time a connection is
> accepted.
> 
> So how do you avoid having your certificate key file sitting, readable,
> in the chroot jail?

Python's SSL module can't load private key from memory. I wanted to
implement that feature for 3.4 but the feature wasn't ready by then.
You have multiple options:

* create a SSLContext, then chroot()
* use pyOpenSSL / cryptography als TLS library
* don't do SSL in your daemon and let some proxy or load balancer do TLS
offloading, e.g. NGinx or Apache + mod_proxy

Christian

Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread

Thread

Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 15:42 +0000
  Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 02:04 +1000
  Re: Using ssl.wrap_socket() in chroot jail Christian Heimes <christian@python.org> - 2014-05-07 20:11 +0200
    Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 18:51 +0000
      Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 12:12 +1000
        Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-08 13:31 +0000

csiph-web