Specify password for SSL client side certificate

[botondus]

As far as I know currently it's not possible to specify the password for the client side certificate you're using for authentication.
This is a bit of a problem because you typically always want to password protect your .pem file which contains the private key. openssl won't even let you create one without a password.

[botondus]

Something like:

requests.get('https://kennethreitz.com', cert='server.pem', cert_pw='my_password')

[sigmavirus24]

Pretty sure you're supposed to use the cert param for that: cert=('server.pem', 'my_password')

[t-8ch]

@sigmavirus24
The tuple is for (certificate, key). Currently there is no support for encrypted keyfiles.
The stdlib only got support for those in version 3.3.

[Lukasa]

Heh, @t-8ch, you accidentally linked to a file on your local FS. ;) Correct link.

[sigmavirus24]

Quite right @t-8ch. This is why I should never answer issues from the bus. :/

[Lukasa]

So the current consensus is we don't support this. How much work is it likely to be to add support in non-3.3 versions of Python?

[sdog869]

How hard would it be to throw an error on this condition? I just ran into this silly problem and it took two hours to figure out, it would be nice if it would throw an error, it currently just sits there looping. Thanks for the awesome library!

[Lukasa]

Wait, it sits where looping? Where in execution do we fail? Can you print the traceback from where we loop?

[sdog869]

It seems to hang right here:

r = requests.get(url,
auth=headeroauth,
cert=self.cert_tuple,
headers=headers,
timeout=10,
verify=True)

I tried turning the timeout out up or down to no avail, but I imagine it knows well before the timeout it can't use the cert. Thanks!

[Lukasa]

Ah, sorry, I wasn't clear. I meant to let it hang and then kill it with Ctrl + C so that python throws a KeyboardInterrupt exception, then to see where we are in the traceback. I want to know where in Requests the execution halts.

[maxnoel]

What's happening (or at least what I've seen in many cases) is that OpenSSL, upon being given a password-protected certificate, will prompt the user for a password. It shows up in no logs (because the prompt is directly printed), and it doesn't time out because it's waiting for a user to press enter.

Needless to say, it's cubmersome, dangerous behavior when the code is running on a server (because it'll hang your worker with no option for recovery other than killing the process).

Is there a way to make requests raise an exception in that case instead of prompting for a password, or is that completely out of your control and in OpenSSL's hands?

[sigmavirus24]

@maxnoel I'm pretty sure this is in OpenSSL's hands but if you can answer @Lukasa's question (the last comment on this issue) it would be very helpful in giving a definite answer regarding if there was anything we can do to help.

[jjguy]

You can confirm OpenSSL is blocking on stdin for the passphrase from the interactive python prompt:

>>> r = requests.get("https://foo.example.com/api/user/bill", cert=("client.crt", "client.key"))
Enter PEM pass phrase:
>>>

If you're running from a backgrounded process, I assume OpenSSL will block waiting on that input.

[maxnoel]

That's correct. Is there anything requests can do to prevent that from happening? Raising an exception when no password is given would be far more useful than prompting for stuff on stdin (especially in a non-interactive program).

[Lukasa]

I'm afraid that I don't know of any way. @reaperhulk?