Google Cloud Platform

OpenSSL Support


This is a Preview release of the Socket API. As a result, the API is subject to change and the service itself is currently not covered by any SLA or deprecation policy. These characteristics will be evaluated as the API and service moves towards General Availability, but developers should take this into consideration when using the Preview release of Socket API.

Note: The native python ssl module is supported in Python 2.7 only.

If you want to use native python ssl, you must enable it using the libraries configuration in your application's app.yaml file where you specify the library name "ssl", as shown here:

- name: ssl
  version: latest

When using Python OpenSSL in an App Engine application, note the following:

  • While App Engine socket objects can be pickled, ssl wrapped sockets do not support pickling.
  • You must use a parameter that is specific to App Engine: ca_certs. The ca_certs parameter requires a file with concatenated certificate authority certificates. Such a file may either be uploaded with your application or you may use the App Engine provided ca_certs file: '/etc/ca-certificates.crt'.
  • The python 2.7 wrap_socket method takes two file name parameters that contain the client's key and certificate. In the App Engine environment, this is limiting since the application is not able to write files to dynamically provide different keys and certificates. To get around this limitation, the certfile and keyfile parameters for the ssl.wrap_socket method can be "file-like" objects that allow the application to store certificates and keys in other ways than in just uploaded application files. (A "file-like" object is one that has a "read" method returning the entire certificate as a string.)
    # Example of a dynamic key and cert.
    datastore_record_k = ndb.Key('Employee', 'asalieri', 'Address', 1)
    datastore_record = datastore_record_k.get()
    key_str = datastore_record.key_str
    cert_str = datastore_record.cert
    ssl_server = ssl.wrap_socket(server_sock,
  • The App Engine 2.7 ssl module also contains a hostname validation method backported from Python 3.2. Once you perform a successful ssl handshake, you must validate that the certificate supplied by the peer is one of the designated hosts in the peer's certificate, in order to prevent security attacks such as "man in the middle":
    ssl.match_hostname(ssl_server.getpeercert(), '')