Clever Geek Handbook

Difference between ssl_context parameters in Python Flask

To support https in Python Flask, you need to specify the ssl_context parameter in the app.run () command.

documented as such:

ssl_context - SSL context for the connection. Or ssl.SSLContext, a tuple of the form (cert_file, pkey_file), the string "adhoc" if the server should automatically create one, or None to disable SSL (which is the default).

The options are listed below:

  • ssl.SSLContext - Requires certificate and key files.
  • tuple in the form (cert_file, pkey_file) - requires certificate and key files.
  • the 'adhoc' line seems very simple.

What is the difference between these options in these contexts:

  • User interface
  • Installing additional modules and files
  • Safety
+3


source to share


2 answers


With the first two options, you provide your own certificate, which can (should) be signed by a recognized authority or your client if you manage them (this happens either when you deploy your application in a context where you can install your certificate on each computer or if your client is not a web browser, but your application, and you can send the certificate along with it).

This will show the user who he is talking to with the real server and not someone trying to intercept traffic.

The third option will create a self-signed certificate without providing any guarantee to the user.



From a user experience perspective, using a self-signed certificate when the client is a web browser raises a warning message about the validity of the certificate and says something like "serious websites don't blindly ask you to accept an unknown certificate."

To summarize, you have three options (your options 1 and 2 are the same at the end):

  • option 1 and 2 with a certificate signed by a recognized authority: the only good solution for a public web application / website.
  • option 1 and 2 with your own certificate (or signed by your own) deployed on each client: a good solution when you can install a certificate for each client. It's a bad decision if you have to ask your clients to do this.
  • Option 3: A good solution for laboratory testing. A terrible decision in any other context I can think of.
+3


source


3. Security

is the only thing that matters and the answer is " never use the Werkzeug / Flask dev server in production". The option ssl_context

is available for convenience during testing, but a production application must use real applications and web servers like uWSGI along with Nginx, configuring Nginx accordingly to provide a real TLS certificate.



+3


source






More articles:


All Articles