encrypted SSL private key for webserver SSL context

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

encrypted SSL private key for webserver SSL context

Jeffrey Van Voorst
Hi,

I have been looking a bit for discussion around use of encrypted SSL private keys (for HTTPS) with respect to CherryPy.  What does the community think about passing in the password/passphrase for the webserver's private SSL key?

I have some source changes, and plan to test.  It is not clear to me if there are automated tests (either with respect to CherryPy itself or Cheroot) around SSL sessions.  I could have overlooked something.

Supposing I make the changes and the community is open to them, is it OK to have the password/passphrase only for the builtin SSL or would you require complementary changes for the PyOpenSSL as well?  

Regards,

Jeff Van Voorst

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: encrypted SSL private key for webserver SSL context

Sviatoslav Sydorenko (@webknjaz)
Hi Jeff,

cheroot.ssl requires serious refactoring. I'm trying track it and play around with adding some testing in https://github.com/cherrypy/cheroot/issues/95.
In general, it looks like cheroot part needs to accept SSLContext (and derivatives depending on the backend lib) and all individual arguments must be described in CherryPy part.
There's also need to refactor cheroot.makefile, which is partially blocking the process because it has implementation incompatible with certain parts of ssl adapters.
If you'd like to participate I'd be extremely grateful!

вівторок, 14 серпня 2018 р. 17:18:48 UTC+2 користувач Jeffrey Van Voorst написав:
Hi,

I have been looking a bit for discussion around use of encrypted SSL private keys (for HTTPS) with respect to CherryPy.  What does the community think about passing in the password/passphrase for the webserver's private SSL key?

I have some source changes, and plan to test.  It is not clear to me if there are automated tests (either with respect to CherryPy itself or Cheroot) around SSL sessions.  I could have overlooked something.

Supposing I make the changes and the community is open to them, is it OK to have the password/passphrase only for the builtin SSL or would you require complementary changes for the PyOpenSSL as well?  

Regards,

Jeff Van Voorst

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: encrypted SSL private key for webserver SSL context

Jeffrey Van Voorst
I rarely use Groups so I might not be posting this correctly.

I will see if I can find some time to follow up on the link you posted.  Others did mention replacing the SSLContext with a custom one.  I am not sure if those folks are using monkey patching or some other method.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.