It accept them only as paths to their location on the file system, which I believe means that a server can only support SSL if it has read permission to its private key file when client connections arrive. This is a problem for servers that bind to their socket and drop privileges as soon as they start up, a practice that is both common and recommended in the unix world.
Ah, excellent point.
IMHO, this severely limits the new ssl module's utility, and discourages good security practices.
Please file a bug report. A bug report with a patch and tests would be even better :-). Assign it to me.
Wouldn't it be better if we could specify keys and certificates as bytes or file-like objects? This would solve the security issue, give applications more flexibility in key management, and might also improve performance slightly (by avoiding file system operations at accept() time).
I like it! Bill