On 2014-05-07, Christian Heimes <christ...@python.org> wrote: > On 07.05.2014 17:42, Grant Edwards wrote: >> Let's say you have a server/daemon application written in python that >> accepts incoming SSL connections. >> >> You want to run that application in a chroot jail. >> >> The last thing you want in that jail is your SSL certificate private >> key file.
[...] > Python's SSL module can't load private key from memory. I wanted to > implement that feature for 3.4 but the feature wasn't ready by then. > You have multiple options: > > * create a SSLContext, then chroot() > * use pyOpenSSL / cryptography als TLS library > * don't do SSL in your daemon and let some proxy or load balancer do TLS > offloading, e.g. NGinx or Apache + mod_proxy Unfortunately, the actual SSL wrapping stuff isn't being done in my code. It's being done by the secure-smtpd module, which will pass whatever cert/key params I give it to ssl.wrap_socket(). That still leaves the third option (e.g. stunnel). Thanks. -- Grant Edwards grant.b.edwards Yow! I'm wearing PAMPERS!! at gmail.com -- https://mail.python.org/mailman/listinfo/python-list