On Thu, May 8, 2014 at 1:42 AM, Grant Edwards <invalid@invalid.invalid> wrote: > But, it appears the ssl module won't accept SSL certificates and keys > as data strings, or as stringio file objects. It will only accept a > filename, and it has to open/read that file every time a connection is > accepted. > > So how do you avoid having your certificate key file sitting, readable, > in the chroot jail?
I was going to say "if all else fails, monkey-patch", but the source code shows that the Python ssl module just passes the file name straight on to _ssl... and, what's more, that _ssl.c just passes it right along to SSL_CTX_use_PrivateKey_file which I presume is part of OpenSSL. Is it possible for you to initialize an SSLContext before chrooting, and just hold that in memory? You can then use its wrap_socket instead of the default wrap_socket. According to the docstring for SSLContext, it can hold "... possibly a private key", but I don't see a parameter for that; that's probably just indicative of my lack of experience with Python's ssl module, though. If you invoke Python entirely within the chroot jail, though, I don't know of a way around it. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
