Re: [Python-Dev] new ssl module is incompatible with servers that drop privileges
It accept them only as paths to their location on the file system, which I believe means that a server can only support SSL if it has read permission to its private key file when client connections arrive. This is a problem for servers that bind to their socket and drop privileges as soon as they start up, a practice that is both common and recommended in the unix world. Ah, excellent point. IMHO, this severely limits the new ssl module's utility, and discourages good security practices. Please file a bug report. A bug report with a patch and tests would be even better :-). Assign it to me. Wouldn't it be better if we could specify keys and certificates as bytes or file-like objects? This would solve the security issue, give applications more flexibility in key management, and might also improve performance slightly (by avoiding file system operations at accept() time). I like it! Bill ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] new ssl module is incompatible with servers that drop privileges
On Tue, September 9, 2008 12:49 pm, Bill Janssen wrote: IMHO, this severely limits the new ssl module's utility, and discourages good security practices. Please file a bug report. A bug report with a patch and tests would be even better :-). Assign it to me. I filed one, but the bug tracker doesn't seem to offer a way to assign it to you. I'll add you to the nosy list. http://bugs.python.org/issue3823 I'm pretty swamped right now, so I don't think I can learn the code well enough to make a patch in the few weeks before python 2.6 is released. (How nice it would be if the debut of this very useful module was free of this problem!) If I find some unexpected free time, I'll take a crack at it. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
