On 07.05.2014 17:42, Grant Edwards wrote: > Let's say you have a server/daemon application written in python that > accepts incoming SSL connections. > > You want to run that application in a chroot jail. > > The last thing you want in that jail is your SSL certificate private > key file. > > But, it appears the ssl module won't accept SSL certificates and keys > as data strings, or as stringio file objects. It will only accept a > filename, and it has to open/read that file every time a connection is > accepted. > > So how do you avoid having your certificate key file sitting, readable, > in the chroot jail?
Python's SSL module can't load private key from memory. I wanted to implement that feature for 3.4 but the feature wasn't ready by then. You have multiple options: * create a SSLContext, then chroot() * use pyOpenSSL / cryptography als TLS library * don't do SSL in your daemon and let some proxy or load balancer do TLS offloading, e.g. NGinx or Apache + mod_proxy Christian -- https://mail.python.org/mailman/listinfo/python-list
