-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for password-protected client keyfiles #1489
Add support for password-protected client keyfiles #1489
Conversation
9bdeb39
to
4929009
Compare
Codecov Report
@@ Coverage Diff @@
## master #1489 +/- ##
==========================================
- Coverage 66.84% 64.84% -2.01%
==========================================
Files 22 22
Lines 2760 2904 +144
==========================================
+ Hits 1845 1883 +38
- Misses 915 1021 +106
Continue to review full report at Codecov.
|
4929009
to
9cc6a5f
Compare
The commit I just pushed implements simple logic to detect an encrypted key file and raise a helpful error message before OpenSSL has a chance to block indefinitely. If there's other ideas or we decide against landing that commit I can roll it back. |
a243a3b
to
2abe111
Compare
cc @alex |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks sensible to me.
I'm not super familiar with the latest developments of the pyopenssl/SSLContext APIs so I can't speak to whether there's a better way to do this.
Soft 👍
Quick skim looks fine to me. |
Thanks all! |
|
||
def _is_key_file_encrypted(key_file): | ||
"""Detects if a key file is encrypted or not.""" | ||
with open(key_file, 'r') as f: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sethmlarson There would not be a way to put this in a try...except or something? We want to avoid files or temporary files and we put a special HTTPAdapter to pass the contents immediately instead of the files, but then it tracebacks at this point. Ideally, there would be support for passing the data immediately instead of opening files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jco-odoo Can you open a separate issue for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The standard library supports passing text or binary passwords to
SSLContext
so we should also support that forPyOpenSSLContext
/SecureTransportContext
objects. This PR adds support for that and tests for all situations where this functionality is supported.Currently the only way we support this is via creating your own
SSLContext
and callingload_cert_chain()
yourself. Adding thekey_password
parameter toHTTPSConnectionPool
allows this to be defined from thePoolManager
level without having to create your ownSSLContext
.Another problem that I encountered first-hand is that if OpenSSL encounters an encrypted keyfile but the
password
parameter is not given:which basically means if you try using an encrypted keyfile without a password your program just straight up blocks which breaks a lot of things in non-interactive contexts. (PyCharm locks up irreversibly, pytest appears to be blocking indefinitely due to swallowing stdout). I was wondering if there's a way for us to stop this bad behavior on our side and raise an exception instead? Besides detecting an encrypted keyfile within
ssl_wrap_socket
I don't know what else we can do here. :(Closes #1275.