On 2014-05-07, Christian Heimes <christ...@python.org> wrote:
> On 07.05.2014 17:42, Grant Edwards wrote:
>> Let's say you have a server/daemon application written in python that
>> accepts incoming SSL connections.
>>
>> You want to run that application in a chroot jail.
>>
>> The last thing you want in that jail is your SSL certificate private
>> key file.
[...]
> Python's SSL module can't load private key from memory. I wanted to
> implement that feature for 3.4 but the feature wasn't ready by then.
> You have multiple options:
>
> * create a SSLContext, then chroot()
> * use pyOpenSSL / cryptography als TLS library
> * don't do SSL in your daemon and let some proxy or load balancer do TLS
> offloading, e.g. NGinx or Apache + mod_proxy
Unfortunately, the actual SSL wrapping stuff isn't being done in my
code. It's being done by the secure-smtpd module, which will pass
whatever cert/key params I give it to ssl.wrap_socket(). That still
leaves the third option (e.g. stunnel).
Thanks.
--
Grant Edwards grant.b.edwards Yow! I'm wearing PAMPERS!!
at
gmail.com
--
https://mail.python.org/mailman/listinfo/python-list
