[Twisted-Python] SSL: Getting the client certificate
lists at dirk-loss.de
Sun Aug 26 16:23:49 EDT 2007
Jean-Paul Calderone wrote:
> This solution has at least two related problems:
> * it will block the reactor until the handshake for that client completes,
Yes, it's ugly. Not being able to run other application code is no
problem in my case, so I thought I could live with that. But the possibe
DoS attack you mentioned should be avoided, of course.
> The ideal solution would be to fix the bug in Twisted's SSL support so that
> connectionMade is called at the right time.
This would be nice. Maybe I should take a deeper look at Twisted's SSL code.
> Another possible solution might be to do your verification using the SSL context object.
Could you elaborate on this? I think I am already using the SSL context
object to do the verification:
theCert = ssl.PrivateCertificate.loadPEM(open(myKey).read())
theCA = ssl.Certificate.loadPEM(open(trustedCA).read())
ctx = theCert.options(theCA)
ctx.verify = True
ctx.verifyDepth = 9
ctx.requireCertificate = True
ctx.verifyOnce = False
application = service.Application("MySSLServer")
MyService = internet.SSLServer(listenport, MyAppFactory(), ctx)
(Above code obviously will not run. Just to show the basic steps I take.)
More information about the Twisted-Python