Please note that the contents of this offline web site may be out of date. To access the most recent documentation visit the online version .
Note that links that point to online resources are green in color and will open in a new window.
We would love it if you could give us feedback about this material by filling this form (You have to be online to fill it)



OpenSSL Support

Preview!

This is a Preview release of the Socket API. As a result, the API is subject to change and the service itself is currently not covered by any SLA or deprecation policy. These characteristics will be evaluated as the API and service moves towards General Availability, but developers should take this into consideration when using the Preview release of Socket API.

Note: The native python ssl module is supported in Python 2.7 only.

If you want to use native python ssl, you must enable it using the libraries configuration in your application's app.yaml file where you specify the library name "ssl", as shown here: 

libraries:
- name: ssl
  version: latest

When using Python OpenSSL in an App Engine application, note the following:

  • While App Engine socket objects can be pickled, ssl wrapped sockets do not support pickling.
  • You must use a parameter that is specific to App Engine: ca_certs . The ca_certs parameter requires a file with concatenated certificate authority certificates. Such a file may either be uploaded with your application or you may use the App Engine provided ca_certs file: '/etc/ca-certificates.crt' .
  • The python 2.7 wrap_socket method takes two file name parameters that contain the client's key and certificate. In the App Engine environment, this is limiting since the application is not able to write files to dynamically provide different keys and certificates. To get around this limitation, the certfile and keyfile parameters for the ssl.wrap_socket method can be "file-like" objects that allow the application to store certificates and keys in other ways than in just uploaded application files. (A "file-like" object is one that has a "read" method returning the entire certificate as a string.) 
    # Example of a dynamic key and cert.
datastore_record_k = db.Key.from_path('Employee', 'asalieri', 'Address', 1)
datastore_record = db.get(datastore_record_k)
key_str = datastore_record.key
cert_str = datastore_record.cert
ssl_server = ssl.wrap_socket(server_sock,
                            server_side=False,
                            keyfile=StringIO.StringIO(key_str),
                            certfile=StringIO.StringIO(cert_str),
                            cert_reqs=ssl.CERT_REQUIRED,
                            ssl_version=ssl.PROTOCOL_TLSv1,
                            ca_certs=CERTIFICATE_FILE)
  • The App Engine 2.7 ssl module also contains a hostname validation method backported from Python 3.2. Once you perform a successful ssl handshake, you must validate that the certificate supplied by the peer is one of the designated hosts in the peer's certificate, in order to prevent security attacks such as "man in the middle": 
    ssl.match_hostname(ssl_server.getpeercert(), 'a.hostname.com')

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License , and code samples are licensed under the Apache 2.0 License . For details, see our Site Policies .

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.