This is a Preview release of the Socket API. As a result, the API is
subject to change and the service itself is currently not covered by any SLA or
deprecation policy. These characteristics will be evaluated as the API and
service moves towards General Availability, but developers should take this into
consideration when using the Preview release of Socket API.
Note: The native python ssl module is supported in Python 2.7 only.
If you want to use native python ssl, you must enable it using the
libraries configuration in your application's
file where you specify the library name "ssl", as shown here:
libraries: - name: ssl version: latest
When using Python OpenSSL in an App Engine application, note the following:
- While App Engine socket objects can be pickled, ssl wrapped sockets do not support pickling.
- You must use a parameter that is specific to App Engine:
ca_certsparameter requires a file with concatenated certificate authority certificates. Such a file may either be uploaded with your application or you may use the App Engine provided
- The python 2.7
wrap_socketmethod takes two file name parameters that contain the client's key and certificate. In the App Engine environment, this is limiting since the application is not able to write files to dynamically provide different keys and certificates. To get around this limitation, the
keyfileparameters for the
ssl.wrap_socketmethod can be "file-like" objects that allow the application to store certificates and keys in other ways than in just uploaded application files. (A "file-like" object is one that has a "read" method returning the entire certificate as a string.)
# Example of a dynamic key and cert. datastore_record_k = ndb.Key('Employee', 'asalieri', 'Address', 1) datastore_record = datastore_record_k.get() key_str = datastore_record.key_str cert_str = datastore_record.cert ssl_server = ssl.wrap_socket(server_sock, server_side=False, keyfile=StringIO.StringIO(key_str), certfile=StringIO.StringIO(cert_str), cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1, ca_certs=CERTIFICATE_FILE)
- The App Engine 2.7 ssl module also contains a hostname validation method
backported from Python 3.2. Once you perform a successful ssl handshake, you
must validate that the certificate supplied by the peer is one of the designated
hosts in the peer's certificate, in order to prevent security attacks such as
"man in the middle":