Using ssl.wrap_socket() in chroot jail
Christian Heimes
christian at python.org
Wed May 7 14:11:39 EDT 2014
On 07.05.2014 17:42, Grant Edwards wrote:
> Let's say you have a server/daemon application written in python that
> accepts incoming SSL connections.
>
> You want to run that application in a chroot jail.
>
> The last thing you want in that jail is your SSL certificate private
> key file.
>
> But, it appears the ssl module won't accept SSL certificates and keys
> as data strings, or as stringio file objects. It will only accept a
> filename, and it has to open/read that file every time a connection is
> accepted.
>
> So how do you avoid having your certificate key file sitting, readable,
> in the chroot jail?
Python's SSL module can't load private key from memory. I wanted to
implement that feature for 3.4 but the feature wasn't ready by then.
You have multiple options:
* create a SSLContext, then chroot()
* use pyOpenSSL / cryptography als TLS library
* don't do SSL in your daemon and let some proxy or load balancer do TLS
offloading, e.g. NGinx or Apache + mod_proxy
Christian
More information about the Python-list
mailing list