Using ssl.wrap_socket() in chroot jail
Chris Angelico
rosuav at gmail.com
Wed May 7 12:04:45 EDT 2014
On Thu, May 8, 2014 at 1:42 AM, Grant Edwards <invalid at invalid.invalid> wrote:
> But, it appears the ssl module won't accept SSL certificates and keys
> as data strings, or as stringio file objects. It will only accept a
> filename, and it has to open/read that file every time a connection is
> accepted.
>
> So how do you avoid having your certificate key file sitting, readable,
> in the chroot jail?
I was going to say "if all else fails, monkey-patch", but the source
code shows that the Python ssl module just passes the file name
straight on to _ssl... and, what's more, that _ssl.c just passes it
right along to SSL_CTX_use_PrivateKey_file which I presume is part of
OpenSSL.
Is it possible for you to initialize an SSLContext before chrooting,
and just hold that in memory? You can then use its wrap_socket instead
of the default wrap_socket. According to the docstring for SSLContext,
it can hold "... possibly a private key", but I don't see a parameter
for that; that's probably just indicative of my lack of experience
with Python's ssl module, though.
If you invoke Python entirely within the chroot jail, though, I don't
know of a way around it.
ChrisA
More information about the Python-list
mailing list