Update docs and replace password option

python · picnixz · Apr 5, 2025 · Feb 2, 2025 · Feb 2, 2025 · Feb 2, 2025
commit 96d4a686fe9fa2c993d66f0a4fbb68aba2285bc3
diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
@@ -68,9 +68,7 @@ handler.  Code to create and run the server looks like this::
    specifying the Application-Layer Protocol Negotiation (ALPN) protocols
    supported by the server. ALPN allows the server and client to negotiate
    the application protocol during the TLS handshake. By default, it is set
-   to ``["http/1.1"]``, meaning the server will support HTTP/1.1. Other
-   possible values may include ``["h2", "http/1.1"]`` to enable HTTP/2
-   support.
+   to ``["http/1.1"]``, meaning the server will support HTTP/1.1.
 
    .. versionadded:: next
 
@@ -499,14 +497,18 @@ following command runs an HTTP/1.1 conformant server::
 
 The server can also support TLS encryption. The options ``--tls-cert`` and
 ``--tls-key`` allow specifying a TLS certificate chain and private key for
-secure HTTPS connections. Use ``--tls-password`` option if private keys are
+secure HTTPS connections. Use ``--tls-password-file`` option if private keys are
 passphrase-protected. For example, the following command runs the server with
 TLS enabled::
 
-        python -m http.server --tls-cert cert.pem --tls-key key.pem --tls-password
+        python -m http.server --tls-cert fullchain.pem
+
+Or if a separate file with private key passphrase-protected::
+
+        python -m http.server --tls-cert cert.pem --tls-key key.pem --tls-password-file password.txt
 
 .. versionchanged:: next
-   Added the ``--tls-cert``, ``--tls-key`` and ``--tls-password`` options.
+   Added the ``--tls-cert``, ``--tls-key`` and ``--tls-password-file`` options.
 
 .. class:: CGIHTTPRequestHandler(request, client_address, server)
 

diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst
@@ -447,8 +447,8 @@ http
   added to ``python -m http.server``:
 
   * ``--tls-cert <path>``: Path to the TLS certificate file.
-  * ``--tls-key <path>``: Path to the private key file.
-  * ``--tls-password <password>``: Optional password for the private key.
+  * ``--tls-key <path>``: Optional path to the private key file.
+  * ``--tls-password-file <path>``: Optional path to the password for the private key.
 
   (Contributed by Semyon Moroz in :gh:`85162`.)
 

diff --git a/Lib/http/server.py b/Lib/http/server.py
@@ -106,12 +106,6 @@
 import time
 import urllib.parse
 
-try:
-    import ssl
-except ImportError:
-    ssl = None
-
-from getpass import getpass
 from http import HTTPStatus
 
 
@@ -1262,9 +1256,12 @@ class HTTPSServer(HTTPServer):
     def __init__(self, server_address, RequestHandlerClass,
                  bind_and_activate=True, *, certfile, keyfile=None,
                  password=None, alpn_protocols=None):
-        if ssl is None:
-            raise RuntimeError("SSL support missing")
+        try:
+            import ssl
+        except ImportError:
+            raise RuntimeError("SSL module is missing; HTTPS support is unavailable")
 
+        self.ssl = ssl
         self.certfile = certfile
         self.keyfile = keyfile
         self.password = password
@@ -1281,10 +1278,8 @@ def server_activate(self):
         self.socket = context.wrap_socket(self.socket, server_side=True)
 
     def _create_context(self):
-        if ssl is None:
-            raise RuntimeError("SSL support missing")
-
-        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        """Create a secure SSL context."""
+        context = self.ssl.create_default_context(self.ssl.Purpose.CLIENT_AUTH)
         context.load_cert_chain(certfile=self.certfile,
                                 keyfile=self.keyfile,
                                 password=self.password)
@@ -1343,8 +1338,6 @@ def test(HandlerClass=BaseHTTPRequestHandler,
     import argparse
     import contextlib
 
-    PASSWORD_EMPTY = object()
-
     parser = argparse.ArgumentParser()
     parser.add_argument('--cgi', action='store_true',
                         help='run as CGI server')
@@ -1362,22 +1355,26 @@ def test(HandlerClass=BaseHTTPRequestHandler,
                         help='path to the TLS certificate')
     parser.add_argument('--tls-key', metavar='PATH',
                         help='path to the TLS key')
-    parser.add_argument('--tls-password', metavar='PASSWORD', nargs='?',
-                        default=None, const=PASSWORD_EMPTY,
-                        help='password for the TLS key '
-                             '(default: empty)')
+    parser.add_argument('--tls-password-file', metavar='PATH',
+                        help='file containing the password for the TLS key')
     parser.add_argument('port', default=8000, type=int, nargs='?',
                         help='bind to this port '
                              '(default: %(default)s)')
     args = parser.parse_args()
 
     if not args.tls_cert and args.tls_key:
-        parser.error('--tls-key requires --tls-cert to be set')
+        parser.error("--tls-key requires --tls-cert to be set")
+
+    tls_key_password = None
+    if args.tls_password_file:
+        if not args.tls_cert:
+            parser.error("--tls-password-file requires --tls-cert to be set")
 
-    if not args.tls_key and args.tls_password:
-        parser.error("--tls-password requires --tls-key to be set")
-    elif args.tls_password is PASSWORD_EMPTY:
-        args.tls_password = getpass("Enter the password for the TLS key: ")
+        try:
+            with open(args.tls_password_file, "r", encoding="utf-8") as f:
+                tls_key_password = f.read().strip()
+        except (OSError, IOError) as e:
+            parser.error(f"Failed to read TLS password file: {e}")
 
     if args.cgi:
         handler_class = CGIHTTPRequestHandler
@@ -1406,5 +1403,5 @@ def finish_request(self, request, client_address):
         protocol=args.protocol,
         tls_cert=args.tls_cert,
         tls_key=args.tls_key,
-        tls_password=args.tls_password,
+        tls_password=tls_key_password,
     )
diff --git a/Misc/NEWS.d/next/Library/2025-02-02-00-30-09.gh-issue-85162.BNF_aJ.rst b/Misc/NEWS.d/next/Library/2025-02-02-00-30-09.gh-issue-85162.BNF_aJ.rst
@@ -1,6 +1,6 @@
 The :mod:`http.server` module now includes built-in support for HTTPS
 server. New :class:`http.server.HTTPSServer` class is an implementation of
 HTTPS server that uses :mod:`ssl` module by providing a certificate and
-private key. The ``--tls-cert``, ``--tls-key`` and ``--tls-password``
+private key. The ``--tls-cert``, ``--tls-key`` and ``--tls-password-file``
 arguments have been added to ``python -m http.server``. Patch by Semyon
 Moroz.