Message 115195 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	giampaolo.rodola
Recipients	exarkun, giampaolo.rodola, janssen, pitrou
Date	2010-08-29.20:50:00
SpamBayes Score	3.750802e-10
Marked as misclassified	No
Message-id	<1283115004.18.0.127719277897.issue9711@psf.upfronthosting.co.za>
In-reply-to

Content
By taking a look at ssl.py it seems that keyfile argument is ignored if certfile argument is not specified as well. Here's an extract of ssl.py code: class SSLSocket: def __init__(self, sock=None, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version=PROTOCOL_SSLv23, ca_certs=None, do_handshake_on_connect=True, family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, suppress_ragged_eofs=True, ciphers=None, _context=None): [...] if certfile and not keyfile: keyfile = certfile [...] if certfile: self.context.load_cert_chain(certfile, keyfile) So at the current stage this: >>> ssl.wrap_socket(socket.socket(), keyfile="XXX") <ssl.SSLSocket object, fd=5, family=2, type=1, proto=0> ...would be equal to: >>> ssl.wrap_socket(socket.socket()) <ssl.SSLSocket object, fd=5, family=2, type=1, proto=0> To me this leads to one question: are there circumstances in which it makes sense to specify "keyfile" and not "certfile"? As far as I know, on server-side it is always required to specify at least certfile argument, in which case this would represent a bug. Not sure about client-side sockets.

By taking a look at ssl.py it seems that keyfile argument is ignored if certfile argument is not specified as well.
Here's an extract of ssl.py code:

class SSLSocket:

    def __init__(self, sock=None, keyfile=None, certfile=None,
                 server_side=False, cert_reqs=CERT_NONE,
                 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
                 do_handshake_on_connect=True,
                 family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
                 suppress_ragged_eofs=True, ciphers=None,
                 _context=None):
        [...]
            if certfile and not keyfile:
                keyfile = certfile
        [...]
            if certfile:
                self.context.load_cert_chain(certfile, keyfile)

So at the current stage this:

>>> ssl.wrap_socket(socket.socket(), keyfile="XXX")
<ssl.SSLSocket object, fd=5, family=2, type=1, proto=0>

...would be equal to:

>>> ssl.wrap_socket(socket.socket())
<ssl.SSLSocket object, fd=5, family=2, type=1, proto=0>


To me this leads to one question: are there circumstances in which it makes sense to specify "keyfile" and *not* "certfile"?
As far as I know, on server-side it is always required to specify *at least* certfile argument, in which case this would represent a bug.
Not sure about client-side sockets.

History
Date	User	Action	Args
2010-08-29 20:50:04	giampaolo.rodola	set	recipients: + giampaolo.rodola, exarkun, janssen, pitrou
2010-08-29 20:50:04	giampaolo.rodola	set	messageid: <1283115004.18.0.127719277897.issue9711@psf.upfronthosting.co.za>
2010-08-29 20:50:00	giampaolo.rodola	link	issue9711 messages
2010-08-29 20:50:00	giampaolo.rodola	create