bottle icon indicating copy to clipboard operation
bottle copied to clipboard
verified publisher icon bottlepy

Add support for TLS

Open pafcu opened this issue 9 years ago • 8 comments

It would be nice to have support for TLS for more secure connections. At least for the WSGIRef server this should be quite easily possible to accomplish by using ssl.wrap_socket().

pafcu avatar May 31 '16 06:05 pafcu

The intent is good, but IMHO it belongs in wsgiref rather than here. The server should be add support for ssl, not the bottle framework.

As far I know, you can just pick up another wsgi server with support for SSL. When calling run( ... ), all "other" arguments provided are simply forwarded to the server adapter you use. So for several of them, providing run( ... , certfile='...', keyfile='...') should be enough to enable SSL support. Documentation is a bit sparse though.

dagnelies avatar Aug 12 '16 16:08 dagnelies

I believe the OP would like to do this, because it's useful for testing. And maybe even because it's possible with flask's app.run. However, do note that flask is more coupled with Werkzeug than bottle, but does not mean you can't do this with a bottle app, since Werkzeug is a WSGI framework. Here is how you can run a bottle app with an SSL directly with Python:

from OpenSSL import SSL
context = SSL.Context(SSL.SSLv23_METHOD)
context.use_privatekey_file('yourserver.key')
context.use_certificate_file('yourserver.crt')
from bottle import Bottle

app = Bottle()

from werkzeug.serving import run_simple
run_simple("0.0.0.0", 8888, app, ssl_context=context)

Code stolen from http://flask.pocoo.org/snippets/111/ and looking into Flask().app().run methods, you will see that it's just a thin wrapper around from werkzeug.serving import run_simple.

oz123 avatar Aug 29 '16 13:08 oz123

Please don't spread unsecure protocols like SSL.SSLv23_METHOD!

Simply do something like this:

from bottle import run, ...
# ...
bottle.run(server='cherrypy', certfile='...', keyfile='...')

or

from bottle import run, ...
# ...
bottle.run(server='gevent', certfile='...', keyfile='...')

or choose your favourite supporting SSL/TLS here: http://bottlepy.org/docs/dev/deployment.html

dagnelies avatar Aug 29 '16 20:08 dagnelies

That misses the entire point of having the built-in server in the first place. There really is no excuse for not using https today, so why is it encouraged by making it difficult to do the right thing (especially when fixing it requires just a few lines of code). Services should be developed using https from the very start, instead of added on as an afterthought when you are ready to deploy.

Also, for a simple service it can be a lot of overhead to install some extra servers. The beauty of bottle (and why many choose it) is because you just need that one .py-file.

pafcu avatar Aug 29 '16 20:08 pafcu

Because the feature belongs in the (wsgiref) server, not the framework! Think of all the other libs using the default python server, why should we duplicate the code in every app using it?!

Moreover, in order to provide SSL support, you would need dependencies, which breaks the one file, dependency free approach of bottle

dagnelies avatar Aug 29 '16 20:08 dagnelies

Yes. The beauty of bottle is its minimalism. You should serve your application with SSL, not develop with it.

@dagnelies thanks for posting the better way how to do it. The example from flask is very outdated.

oz123 avatar Aug 29 '16 21:08 oz123

@dagnelies: I agree it should be fixed in the library. But it isn't. We don't live in a perfect world, and sometimes you have to settle for workarounds. I'd rather have a working workaround in bottle, than not have TLS support out of the box.

pafcu avatar Aug 29 '16 21:08 pafcu

https://github.com/bottlepy/bottle/pull/647#issuecomment-60152870

defnull avatar Aug 29 '16 21:08 defnull