Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #71043
| Path | csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!rt.uk.eu.org!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <python-python-list@m.gmane.org> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/simple; d=python.org; s=200901; t=1399486313; bh=3YG2Y9dPJ6Vn174kwcdWZDjla79IAH/nHcDGXTJaIpk=; h=To:From:Subject:Date:References:In-Reply-To:From; b=qp3iqR2i7c5qx/nSOD+P7KyaCMsP+3O4aqVmuolIDOaLPk0RQbLsJYPt5NaFKBu9L Aju28HcatbPqfgDUlKISlzcftz6743FCPZCOr4G19h/QkxMhj3OAFdjyCjIK6zeRj2 dA/tfjmztIWHhNPe40sjW0uWdsYQPQmWV8TeeSIs= |
| X-Spam-Status | OK 0.001 |
| X-Spam-Evidence | '*H*': 1.00; '*S*': 0.00; 'memory.': 0.07; 'subject:skip:s 10': 0.07; 'pyopenssl': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'python': 0.11; 'apache': 0.15; 'accepts': 0.16; 'filename,': 0.16; 'from:name:christian heimes': 0.16; 'jail': 0.16; 'objects.': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'stringio': 0.16; 'tls': 0.16; 'from:addr:python.org': 0.16; 'wrote:': 0.18; 'library': 0.18; 'module': 0.19; "python's": 0.19; 'written': 0.21; 'appears': 0.22; 'accepted.': 0.22; 'load': 0.23; 'header:User-Agent:1': 0.23; 'proxy': 0.24; 'ssl': 0.24; 'file.': 0.24; 'header:X -Complaints-To:1': 0.27; 'header:In-Reply-To:1': 0.27; 'feature': 0.29; 'then.': 0.30; 'keys': 0.31; 'file': 0.32; 'run': 0.32; "can't": 0.35; 'connection': 0.35; 'but': 0.35; 'options:': 0.36; 'application': 0.37; 'christian': 0.38; 'implement': 0.38; 'e.g.': 0.38; 'to:addr:python-list': 0.38; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'how': 0.40; 'incoming': 0.72; '3.4': 0.84; 'balancer': 0.84; 'subject:Using': 0.84; 'certificates': 0.91; 'cryptography': 0.91; 'edwards': 0.91 |
| X-Injected-Via-Gmane | http://gmane.org/ |
| To | python-list@python.org |
| From | Christian Heimes <christian@python.org> |
| Subject | Re: Using ssl.wrap_socket() in chroot jail |
| Date | Wed, 07 May 2014 20:11:39 +0200 |
| References | <lkdk9l$le3$1@reader1.panix.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=ISO-8859-1 |
| Content-Transfer-Encoding | 7bit |
| X-Gmane-NNTP-Posting-Host | 212.12.46.3 |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 |
| In-Reply-To | <lkdk9l$le3$1@reader1.panix.com> |
| X-Enigmail-Version | 1.5.2 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.9745.1399486314.18130.python-list@python.org> (permalink) |
| Lines | 29 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1399486314 news.xs4all.nl 2957 [2001:888:2000:d::a6]:42081 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:71043 |
Show key headers only | View raw
On 07.05.2014 17:42, Grant Edwards wrote: > Let's say you have a server/daemon application written in python that > accepts incoming SSL connections. > > You want to run that application in a chroot jail. > > The last thing you want in that jail is your SSL certificate private > key file. > > But, it appears the ssl module won't accept SSL certificates and keys > as data strings, or as stringio file objects. It will only accept a > filename, and it has to open/read that file every time a connection is > accepted. > > So how do you avoid having your certificate key file sitting, readable, > in the chroot jail? Python's SSL module can't load private key from memory. I wanted to implement that feature for 3.4 but the feature wasn't ready by then. You have multiple options: * create a SSLContext, then chroot() * use pyOpenSSL / cryptography als TLS library * don't do SSL in your daemon and let some proxy or load balancer do TLS offloading, e.g. NGinx or Apache + mod_proxy Christian
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 15:42 +0000
Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 02:04 +1000
Re: Using ssl.wrap_socket() in chroot jail Christian Heimes <christian@python.org> - 2014-05-07 20:11 +0200
Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-07 18:51 +0000
Re: Using ssl.wrap_socket() in chroot jail Chris Angelico <rosuav@gmail.com> - 2014-05-08 12:12 +1000
Re: Using ssl.wrap_socket() in chroot jail Grant Edwards <invalid@invalid.invalid> - 2014-05-08 13:31 +0000
csiph-web