Author christian.heimes
Recipients asvetlov, brandon-rhodes, christian.heimes, dstufft, giampaolo.rodola, jcea, jgehrcke, kristjan.jonsson, martius, njs, orsenthil, pitrou
Date 2018-01-12.09:25:21
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>

I'm not a fan of PR 2449 because it provides yet another way to load certificates and keys from memory. It's a clever idea to use MemoryBIO here. But the approach is *not* compatible with PEP 543. The PEP requires an API that can turn a memory blob into a series of certificate objects. PR 2449 doesn't enable memory -> certificate. The new API is OpenSSL specific and restricted to PKCS#8 key in PEM/DER encoding. PEP 543 is extensible for PKCS#11, engine and HSM support. PR 2449 is not.

There are other issues with PR 2449. For example it's missing several GIL releases calls. The password callback doesn't look correct in some places. provides a PEP 543-compatible implementation (plus additions from pending PR):

>>> import ssl

>>> chain = ssl.Certificate.chain_from_file("Lib/test/ssl_cert.pem")
>>> cas = ssl.Certificate.bundle_from_file("Lib/test/pycacert.pem")
>>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ssl.SSLError: [PEM: BAD_PASSWORD_READ] bad password read (_ssl.c:58)
>>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem", password="somepass")

>>> chain
(<_ssl.Certificate '/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost'>,)
>>> cas
[<_ssl.Certificate '/C=XY/O=Python Software Foundation CA/CN=our-ca-server'>]

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
>>> ctx.load_cert_chain(chain, pkey)
>>> ctx.load_verify_locations(cadata=cas)

# get_ca_certs() doesn't return ssl.Certificates yet
>>> ctx.get_ca_certs()
[{'subject': ((('countryName', 'XY'),), (('organizationName', 'Python Software Foundation CA'),), (('commonName', 'our-ca-server'),)), 'issuer': ((('countryName', 'XY'),), (('organizationName', 'Python Software Foundation CA'),), (('commonName', 'our-ca-server'),)), 'version': 3, 'serialNumber': 'B09264B1F2DA21D0', 'notBefore': 'Jan  4 19:47:07 2013 GMT', 'notAfter': 'Jan  2 19:47:07 2023 GMT'}]
Date User Action Args
2018-01-12 09:25:21christian.heimessetrecipients: + christian.heimes, jcea, orsenthil, pitrou, kristjan.jonsson, giampaolo.rodola, njs, asvetlov, jgehrcke, brandon-rhodes, dstufft, martius
2018-01-12 09:25:21christian.heimessetmessageid: <>
2018-01-12 09:25:21christian.heimeslinkissue16487 messages
2018-01-12 09:25:21christian.heimescreate