Version2.7 of the Python SSL library has been deprecated. Instead, use the latest version, currently2.7.11.

App Engine supports the native Python SSL library for the Python 2.7 runtime viathe SSL library, which you must add to your app.

If you want to use native Python SSL, you must enable it by specifyingssl forthelibraries configuration in your application'sapp.yaml. You should usethe latest library version, which is currentlyversion 2.7.11. Thisversion supports TLS versions 1.0, 1.1, and 1.2 and corresponds to the SSLversions from Python 2.7.11 and onwards:

libraries:-name:sslversion:latest

Providing authority certificates

In order to perform an SSL handshake, you must have file that containsconcatenated certificate authority certificates. You canupload your own file with your application, or you can use thefile provided by App Engine:/etc/ca-certificates.crt.

Performing an SSL handshake

The Python 2.7wrap_socket method takes two file nameparameters that contain the client's key and certificate. In the App Engineenvironment, this is limiting since the application is not able to write filesto dynamically provide different keys and certificates. To get around thislimitation, thecertfile andkeyfile parameters forthessl.wrap_socket method can be "file-like" objects that allowthe application to store certificates and keys in other ways than in justuploaded application files. (A "file-like" object is one that has a "read"method returning the entire certificate as a string.)

# Example of a dynamic key and cert.datastore_record_k=ndb.Key('Employee','asalieri','Address',1)datastore_record=datastore_record_k.get()key_str=datastore_record.key_strcert_str=datastore_record.certssl_server=ssl.wrap_socket(server_sock,server_side=False,keyfile=StringIO.StringIO(key_str),certfile=StringIO.StringIO(cert_str),cert_reqs=ssl.CERT_REQUIRED,ssl_version=ssl.PROTOCOL_SSLv23,ca_certs=CERTIFICATE_FILE)

You don't need to specify thessl_version parameter. If you omit it, the2.7.11 library defaults toPROTOCOL_SSLv23. You can also specifyPROTOCOL_TLSv1,PROTOCOL_TLSv1_1, orPROTOCOL_TLSv1_2.

The App Engine implementation of thewrap_socket method includes therequired parameterca_certs, which is used to specify the special file containingconcatenated certificate authority certificates.

Validating certificates

Your app should validate certificates to prevent certainsecurity vulnerabilitiessuch as "man in the middle" attacks.

To do this:

1. Edit yourapp.yaml file, adding the environment variablePYTHONHTTPSVERIFY set to1:

   env_variables:PYTHONHTTPSVERIFY:1

2. Redeploy your app.

Alternatively to specifying cert validation in yourapp.yaml, you couldexplicitly call the SSL library to do the validation, after you've performed asuccessful SSL handshake, as follows:

ssl.match_hostname(ssl_server.getpeercert(),'a.hostname.com')

The above code uses thematch_hostname feature, backported from Python 3.2 tobe part of the App Engine Python 2.7.11 SSL module. This call makes sure thecertificate supplied by the peer matches one of the designated hosts in thepeer's certificate.

Working on dev_appserver

You can issue HTTPS requests using theurlfetchAPI, Dev_server's certificate validation behaviour usinghttplib using urlfetchis identical to the production App Engine environment. Dev_appserverdoes not support requests usingsockets.