Message 175691 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	kristjan.jonsson
Recipients	kristjan.jonsson
Date	2012-11-16.15:10:11
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<[email protected]>
In-reply-to

Content
The _ssl module (and indeed the openssl lib) relies heaviliy on actual filesystem locations to load certificates. A client or a server may not want to rely on physical filesystem locations to load certificates for authentication or verification. Physical disc files are cumbersome and present a management burden in the presence of multiple processes. This patch adds extensions to the _ssl.c file which allows certificates, keys and certification chains to be provided by file contents, rather than file name. The ctx.load_cert_chain and ctx.load_verify_locations take additional arguments to specify the data on this form. the ssl.wrap_socket does not add arguments, rather the function is polymorphic in that the conents of the certfil/keyfile are examined and treated as file-data if beginning with -----BEGIN. the ca_certs is similarly treated as a list of file contents, if it is a list, (rather than a string) This patch is the result of work at CCP for deploying ssl clients and servers in an isolated environment without having to resort to temporary disk files.

The _ssl module (and indeed the openssl lib) relies heaviliy on actual filesystem locations to load certificates.  A client or a server may not want to rely on physical filesystem locations to load certificates for authentication or verification.  Physical disc files are cumbersome and present a management burden in the presence of multiple processes.

This patch adds extensions to the _ssl.c file which allows certificates, keys and certification chains to be provided by file contents, rather than file name.  

The ctx.load_cert_chain and ctx.load_verify_locations take additional arguments to specify the data on this form.

the ssl.wrap_socket does not add arguments, rather the function is polymorphic in that the conents of the certfil/keyfile are examined and treated as file-data if beginning with -----BEGIN.  the ca_certs is similarly treated as a list of file contents, if it is a list, (rather than a string)

This patch is the result of work at CCP for deploying ssl clients and servers in an isolated environment without having to resort to temporary disk files.

History
Date	User	Action	Args
2012-11-16 15:10:16	kristjan.jonsson	set	recipients: + kristjan.jonsson
2012-11-16 15:10:15	kristjan.jonsson	set	messageid: <[email protected]>
2012-11-16 15:10:15	kristjan.jonsson	link	issue16487 messages
2012-11-16 15:10:15	kristjan.jonsson	create