[New-bugs-announce] [issue9711] ssl.SSLSocket's keyfile argument seems to be ignored if specified without certfile

[Giampaolo Rodola']

New submission from Giampaolo Rodola' <g.rodola at gmail.com>:

By taking a look at ssl.py it seems that keyfile argument is ignored if certfile argument is not specified as well.
Here's an extract of ssl.py code:

class SSLSocket:

    def __init__(self, sock=None, keyfile=None, certfile=None,
                 server_side=False, cert_reqs=CERT_NONE,
                 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
                 do_handshake_on_connect=True,
                 family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
                 suppress_ragged_eofs=True, ciphers=None,
                 _context=None):
        [...]
            if certfile and not keyfile:
                keyfile = certfile
        [...]
            if certfile:
                self.context.load_cert_chain(certfile, keyfile)

So at the current stage this:

>>> ssl.wrap_socket(socket.socket(), keyfile="XXX")
<ssl.SSLSocket object, fd=5, family=2, type=1, proto=0>

...would be equal to:

>>> ssl.wrap_socket(socket.socket())
<ssl.SSLSocket object, fd=5, family=2, type=1, proto=0>


To me this leads to one question: are there circumstances in which it makes sense to specify "keyfile" and *not* "certfile"?
As far as I know, on server-side it is always required to specify *at least* certfile argument, in which case this would represent a bug.
Not sure about client-side sockets.

----------
messages: 115195
nosy: exarkun, giampaolo.rodola, janssen, pitrou
priority: normal
severity: normal
status: open
title: ssl.SSLSocket's keyfile argument seems to be ignored if specified without certfile

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue9711>
_______________________________________