[New-bugs-announce] [issue3823] ssl.wrap_socket() is incompatible with unprivileged servers, due to keyfile requirement
Forest Wilkinson
report at bugs.python.org
Tue Sep 9 20:25:19 CEST 2008
New submission from Forest Wilkinson <forest at users.sourceforge.net>:
SSLSocket() and ssl.wrap_socket() accept private keys only as paths to
their location on the file system. This means that a server can only
support SSL if it has read access to its private key file at the time
when client connections arrive, which is a problem for servers that bind
to their socket and drop privileges as soon as they start up.
In other words, the new ssl module's API prevents its use in servers
that follow best practices that are prevalent in the unix world.
If SSLSocket() and ssl.wrap_socket() were updated to accept private keys
as strings (or open file-like objects or some such), the problem would
go away. Moreover, it would allow a program to keep private keys cached
in memory, which might slightly improve performance over reading them
from the file system on every new connection.
----------
components: Library (Lib)
messages: 72891
nosy: forest
severity: normal
status: open
title: ssl.wrap_socket() is incompatible with unprivileged servers, due to keyfile requirement
type: security
versions: Python 2.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue3823>
_______________________________________
More information about the New-bugs-announce
mailing list