[Twisted-Python] client side cert?

Eli Criffield elicriffield at gmail.com
Wed May 2 00:30:27 EDT 2007


I'm trying to make a simple xmlrpc server that uses ssl and requires
the client to have a cert signed by me.

Sounds easy enough, It doesn't seem to work. It would appear that
twisted.internet.ssl.CertificateOptions() Has all the options i need
to make a ContextFactory object to feed to listenSSL, but i get this
error when i try to setup the listenSSL.

  File "./xmlrpc-server.py", line 38, in <module>
    reactor.listenSSL(7080,server.Site(r),ctx)
  File "/usr/lib/python2.5/site-packages/twisted/internet/posixbase.py",
line 492, in listenSSL
    p.startListening()
  File "/usr/lib/python2.5/site-packages/twisted/internet/tcp.py",
line 730, in startListening
    skt = self.createInternetSocket()
  File "/usr/lib/python2.5/site-packages/twisted/internet/ssl.py",
line 169, in createInternetSocket
    return SSL.Connection(self.ctxFactory.getContext(), sock)
  File "/usr/lib/python2.5/site-packages/twisted/internet/_sslverify.py",
line 901, in getContext
    self._context = self._makeContext()
  File "/usr/lib/python2.5/site-packages/twisted/internet/_sslverify.py",
line 910, in _makeContext
    ctx.use_certificate(self.certificate)
TypeError: Expected an X509 object


My code:
if __name__ == '__main__':
    from twisted.internet import reactor, ssl
    import OpenSSL
    r = Example()
    pem = OpenSSL.crypto.FILETYPE_PEM
    xfd = open('test.cert','r')
    x590cert = ssl.Certificate.loadPEM(xfd.read())
    pfd = open('test.key','r')
    pkeycert =  OpenSSL.crypto.load_privatekey(pem,pfd.read(),'password')
    ctx = ssl.CertificateOptions(privateKey=pkeycert,certificate=x590cert,method=OpenSSL.SSL.SSLv23_METHOD)
    reactor.listenSSL(7080,server.Site(r),ctx)
    reactor.run()

I try to make the x590 object to feed to CertificateOptions from
t.i.s.Certifcate.loadPEM() but it doesn't like it. I see nowhere in
t.i.ssl to make a PKey object that t.i.s.CertificationOptions() wants.

I've tried t.i.s.ContextFactory() but there is no options for
requiring a client side cert.
t.i.s.ClientContextFactory doesn't seem to have any options to tell it
what cert to use on the client side either, or how to verify the
server cert, I guess thats what t.i.s.CertificationOptions() is for
but it doesn't seem to work as documented.

Is there some great documentation out there about how to do this with
twisted.internet.ssl that I'm missing?

Eli Criffield




More information about the Twisted-Python mailing list