I have an issue with setting up an mTLS connection using in memory strings/buffers containing the client cert/key. I’ve checked out urllib, urllib3, requests and httpx and they all seem to require passing the cert/key as file system paths. I think all the http clients use the SSL module which ends up calling cpython/Modules/_ssl.c at 0d582def34babca7417ece8a9e4e16cc2a752d44 · python/cpython · GitHub. It works fine with files, but would rather not write out certs and keys to the file system. Anyone else experienced similar? Have I missed something?
For the use case I have we write it to a NamedTemporaryFile and nuke it as soon as the relevant requests are done.
If you are on a linux system then write the cert/key into a tmpfs.
On my Fedora systems I have /tmp and /run, I’d use /run for better security.
Thanks, this is what I ended up with
1 Like
Thanks, running in AWS Lambda so no tmpfs, but is isolated from other executions so should be OK to just remove when done.
OpenSSL does support loading from memory SSL_CTX_use_certificate - OpenSSL Documentation. Is this worth raising as an Issue? Implementation doesn’t look too tricky.