Simon Cross <[EMAIL PROTECTED]> added the comment: I've dug around in the code a bit and the keyfile, certfile and ca_certs filename arguments to SSLSocket.__init__ are passed down into newPySSLObject in _ssl.c and from there directly to SSL_CTX_* function from OpenSSL so making these arguments allow file-like objects is going to be non-trivial.
The options I see are: * Write the file-like objects out to named temporary files and pass those through to OpenSSL (seems like a nasty hack and prone to all sorts of problems). * Change the which OpenSSL functions are used to setup the certificate (I definitely don't think this could go into 2.6 or 3.0 at this stage; also see analysis of current OpenSSL usage below for more difficulties) * Add an SSL CTX wrapper object and allow that to be passed down to newPySSLObject instead of the filenames. Then the CTX object could be created before dropping privileges (I think this is probably also too big a change to be considered for 2.6 or 3.0 at this point, but it's what looks best to me at the moment). The current situation in _ssl.c: * keyfile is loaded using SSL_CTX_use_PrivateKey_file(...) which loads the first certificate from keyfile into ctx. We could replace this with SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) but we'd have to load the key ourselves and make sure to follow what OpenSSL does to maintain compatibility. * certfile is loaded with SSL_CTX_use_certificate_chain_file(...) which reads in all the certificates from certfile into ctx. We could read the certificates in ourselves and them load them one by one using SSL_CTX_use_certificate(...) and then SSL_CTX_add_extra_chain_cert(...). * ca_certs is loaded using SSL_CTX_load_verify_locations(...). As fasr as I can see there is no convenient replacement function for this in OpenSSL. SSL_CTX_set_client_CA_list(...) will load a list of certificate names but doesn't load the certificates themselves (so verification won't be done with them) and SSL_CTX_add_client_CA(...) has the same issue. One could use SSL_CTX_set_cert_store(...) to register callbacks (and then presumably one can do whatever one wants and can get around the ca_certs issue) but the man page for SSL_CTX_set_cert_store has the rather disheartening "Currently no detailed documentation on how to use the X509_STORE object is available." All this comes with the proviso that I just started digging into the OpenSSL manpages today so I'm a long way from being an expert. :) I can probably find time to create a patch with tests once we have a clear direction to go in. @Forest: If you have an details on how non-Python servers go about loading certificates and then dropping privileges using OpenSSL, that would be extremely useful. ---------- nosy: +hodgestar _______________________________________ Python tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue3823> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
