[Twisted-Python] SSLContext not valid for TLS Server

[Thomas Hartwich]

I think I now know why it is not working. As I initially suspected that ECC could be the reasons, it seems to have come true. No matter what kind of ECC curve I use, the current implementation of Twisted always uses prime256v1 curve. Maybe because pyOpenSSL hasn't got full ECC support currently!? (got it from some comments in _sslverify.py)

In my setting I use secp521r1 curve and for testing purpose I created a key pair of prime256v1 and this works with CertificateOptions. If you have a look at the implementations of twisted.internet._sslverify you will see that prime256v1 is always used as default curve and it seems that no other curve is being accepted. This should be the reason why CertificateOptions does not work for my ECC key.

But somehow it works even with secp521r1, if I use the DefaultOpenSSLContextFactory. So do you know any workaround how it can be fixed that twisted accepts other curves than prime256v1?

Thank you!
 

Gesendet: Mittwoch, 23. August 2017 um 06:21 Uhr
Von: Glyph <glyph at twistedmatrix.com>
An: "Twisted general discussion" <twisted-python at twistedmatrix.com>
Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server

 

On Aug 22, 2017, at 9:16 AM, Thomas Hartwich <ceeborraa at gmx.de[mailto:ceeborraa at gmx.de]> wrote: 

Yes, you're right for sure. As an alternative I tried to instantiate an object from twisted.internet._sslverify.OpenSSLCertificateOptions (as it is used by PrivateCertificate e.g.):

co = OpenSSLCertificateOptions(privateKey=pkey,certificate=cert_obj)
 
Please note that importing names with "._" in them is relying on private API :).  The public alias for this is `twisted.internet.ssl.CertificateOptions` https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html] 

Despite it provides a SSL-context, it does not work similarly to the options() method I tried before from PrivateCertificate().

Can you tell me how I can make use of IOpenSSLServerConnectionCreator to create a valid SSL-Context for the TLS server in my case?
 
You should probably just use CertificateOptions - I still would like to understand why it doesn't work ;-).
 
https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html] is documented here; this is just the interface you should implement (rather than subclassing ContextFactory and implementing getContext) if you want to do something totally custom with the OpenSSL API rather than Twisted's API; I'd still rather understand why Twisted's API, i.e. CertificateOptions, doesn't work for you.
 
-glyph 

Thank you!
 

Gesendet: Sonntag, 20. August 2017 um 22:36 Uhr
Von: Glyph <glyph at twistedmatrix.com[mailto:glyph at twistedmatrix.com]>
An: "Twisted general discussion" <twisted-python at twistedmatrix.com[mailto:twisted-python at twistedmatrix.com]>
Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server

 

On Aug 20, 2017, at 9:30 AM, Thomas Hartwich <ceeborraa at gmx.de[mailto:ceeborraa at gmx.de][mailto:ceeborraa at gmx.de[mailto:ceeborraa at gmx.de]]> wrote: 
 Ok, I finally got a solution for my problem. As I know, the TLS server was working with DefaultOpenSSLContextFactory but this only takes file paths to private key/certificate, I created my own SSL-Context file.

For anybody who has the same problem: 
Please note that this solution will prevent the use of TLS 1.3 when it is available, among other problems.
 
DefaultOpenSSLContextFactory should be deprecated (I hope someone has the time to do it soon), as is the 'getContext' interface that you're using (you should be using https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html]] ) so it would be really good to understand what part of the non-deprecated TLS stack is broken for you.
 
-glyph_______________________________________________ Twisted-Python mailing list Twisted-Python at twistedmatrix.com[mailto:Twisted-Python at twistedmatrix.com] https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python]

_______________________________________________
Twisted-Python mailing list
Twisted-Python at twistedmatrix.com[mailto:Twisted-Python at twistedmatrix.com]
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python at twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python]