I've been trying out the new ssl module, and I love it so far, except for the way it accepts private keys and certificates. It accept them only as paths to their location on the file system, which I believe means that a server can only support SSL if it has read permission to its private key file when client connections arrive. This is a problem for servers that bind to their socket and drop privileges as soon as they start up, a practice that is both common and recommended in the unix world.
IMHO, this severely limits the new ssl module's utility, and discourages good security practices. Wouldn't it be better if we could specify keys and certificates as bytes or file-like objects? This would solve the security issue, give applications more flexibility in key management, and might also improve performance slightly (by avoiding file system operations at accept() time). Perhaps there's a workaround that I haven't noticed yet? A quick look at the source code didn't reveal any obvious way to specify keys other than as paths in the file system. http://bugs.python.org/issue3823 _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
