New submission from Forest Wilkinson <[EMAIL PROTECTED]>: SSLSocket() and ssl.wrap_socket() accept private keys only as paths to their location on the file system. This means that a server can only support SSL if it has read access to its private key file at the time when client connections arrive, which is a problem for servers that bind to their socket and drop privileges as soon as they start up.
In other words, the new ssl module's API prevents its use in servers that follow best practices that are prevalent in the unix world. If SSLSocket() and ssl.wrap_socket() were updated to accept private keys as strings (or open file-like objects or some such), the problem would go away. Moreover, it would allow a program to keep private keys cached in memory, which might slightly improve performance over reading them from the file system on every new connection. ---------- components: Library (Lib) messages: 72891 nosy: forest severity: normal status: open title: ssl.wrap_socket() is incompatible with unprivileged servers, due to keyfile requirement type: security versions: Python 2.6 _______________________________________ Python tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue3823> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
