Preview!
This is a Preview release of the Socket API. As a result, the API is
subject to change and the service itself is currently not covered by any SLA or
deprecation policy. These characteristics will be evaluated as the API and
service moves towards General Availability, but developers should take this into
consideration when using the Preview release of Socket API.
Note: The native python ssl module is supported in Python 2.7 only.
If you want to use native python ssl, you must enable it using the
libraries
configuration in your application's
app.yaml
file where you specify the library name "ssl", as shown here:
libraries: - name: ssl version: latest
When using Python OpenSSL in an App Engine application, note the following:
- While App Engine socket objects can be pickled, ssl wrapped sockets do not support pickling.
-
You must use a parameter that is specific to App Engine:
ca_certs
. Theca_certs
parameter requires a file with concatenated certificate authority certificates. Such a file may either be uploaded with your application or you may use the App Engine providedca_certs
file:'/etc/ca-certificates.crt'
. -
The python 2.7
wrap_socket
method takes two file name parameters that contain the client's key and certificate. In the App Engine environment, this is limiting since the application is not able to write files to dynamically provide different keys and certificates. To get around this limitation, thecertfile
andkeyfile
parameters for thessl.wrap_socket
method can be "file-like" objects that allow the application to store certificates and keys in other ways than in just uploaded application files. (A "file-like" object is one that has a "read" method returning the entire certificate as a string.)# Example of a dynamic key and cert. datastore_record_k = db.Key.from_path('Employee', 'asalieri', 'Address', 1) datastore_record = db.get(datastore_record_k) key_str = datastore_record.key cert_str = datastore_record.cert ssl_server = ssl.wrap_socket(server_sock, server_side=False, keyfile=StringIO.StringIO(key_str), certfile=StringIO.StringIO(cert_str), cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1, ca_certs=CERTIFICATE_FILE)
-
The App Engine 2.7 ssl module also contains a hostname validation method
backported from Python 3.2. Once you perform a successful ssl handshake, you
must validate that the certificate supplied by the peer is one of the designated
hosts in the peer's certificate, in order to prevent security attacks such as
"man in the middle":
ssl.match_hostname(ssl_server.getpeercert(), 'a.hostname.com')