On Fri, May 23, 2008 at 3:32 PM, Jean-Paul Calderone <<a href="mailto:exarkun@divmod.com">exarkun@divmod.com</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="Wj3C7c">On Fri, 23 May 2008 12:29:44 -0500, Kevin Horn <<a href="mailto:kevin.horn@gmail.com" target="_blank">kevin.horn@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Howdy list,<br>
<br>
I'm trying to implement a protocol using Twisted which has a "STARTTLS"<br>
command to switch the protocol from plain TCP to TCP over TLS.<br>
<br>
I've mostly been going by the way that the imap4.py module seems to do it,<br>
but I can't seem to get a handshake to complete.<br>
<br>
I found this page ( <a href="http://wiki.vislab.usyd.edu.au/moin.cgi/SSLCertNotes" target="_blank">http://wiki.vislab.usyd.edu.au/moin.cgi/SSLCertNotes</a> )<br>
which was helpful, but I don't want to force client cert authentication.<br>
<br>
In order to separate this problem from other issues, I've adapted the echo<br>
protocol code from above the above page to try and get a simple test case<br>
(my code below)<br>
<br>
I am recieving the following output and traceback when running the client<br>
code ( on both Windows and Linux ):<br>
<br>
using TLSv1:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
tls_echoclient.py<br>
</blockquote>
<br>
Sending: Hello, world!<br>
receive: ERROR: Must authenticate<br>
Sending: STARTTLS<br>
receive: READY<br>
Sending: Continuing<br>
connection lost (protocol)<br>
connection lost: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake<br>
failure'), ('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake failure')]<br>
Traceback (most recent call last):<br>
File "C:\Documents and<br>
Settings\kevinh\Desktop\mine_id\sandbox\funsize\sslecho\tls_echoclient.py",<br>
line 58, in <module><br>
reactor.run()<br>
File "C:\Python25\lib\site-packages\twisted\internet\posixbase.py", line<br>
223, in run<br>
self.mainLoop()<br>
File "C:\Python25\lib\site-packages\twisted\internet\posixbase.py", line<br>
234, in mainLoop<br>
self.doIteration(t)<br>
File "C:\Python25\lib\site-packages\twisted\internet\selectreactor.py",<br>
line 140, in doSelect<br>
_logrun(selectable, _drdw, selectable, method, dict)<br>
--- <exception caught here> ---<br>
File "C:\Python25\lib\site-packages\twisted\python\log.py", line 51, in<br>
callWithLogger<br>
return callWithContext({"system": lp}, func, *args, **kw)<br>
<< SNIP >><br>
File "C:\Python25\lib\site-packages\twisted\internet\base.py", line 490,<br>
in stop<br>
"Can't stop reactor that isn't running.")<br>
twisted.internet.error.ReactorNotRunning: Can't stop reactor that isn't<br>
running.<br>
<br>
What am I doing wrong? Is there a SSL config option I'm setting<br>
incorrectly? Do I need to use a different SSL Context? Am I totally off<br>
base?<br>
<br>
Thanks,<br>
<br>
</blockquote>
<br></div></div>
The traceback here is just because you're calling reactor.stop() twice,<br>
once in Protocol.connectionLost, then again in Factory.clientConnectionLost.<br>
Get rid of one of these and at least you'll get rid of some spurious noise.<br>
</blockquote><div> <br>Thanks for responding, Jean-Paul, and thanks for the tip. I've been so consumed <br>with reading through the noise that for some reason it never occurred to me to try <br>and get rid of it.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
As far as the TLS part of your code goes, it basically looks okay. By doing<br>
a sendLine immediately before you call startTLS, you risk running into #686,<br>
but if you actually hit that, you should see a warning and the connection<br>
should be closed without an OpenSSL error.<br>
<br>
So I'm not exactly sure what problem you're encountering. To further<br>
complicate matters, when I run your code, TLS is successfully negotiated.<br>
</blockquote><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Jean-Paul</blockquote><div><br><br>Well that's ... frustrating. I was hoping I had just overlooked something <br>obvious (and easy to fix!)<br><br>Can you tell me more about the environment you are running under?<br>
<br>So far I've tried:<br>WinXP, Python 2.5, Twisted 8.0.1, pyOpenSSL 0.7, OpenSSL 0.9.8g<br>Linux(CentOS), Python 2.4, Twisted 8.1.0, pyOpenSSL 0.7, OpenSSL 0.9.7a<br><br>Perhaps there is something wrong with my certificates? I would expect that <br>
this would cause errors on the server end, though...<br><br>Is there any way to get more information about the handshake failure? </div></div><br>Thanks, <br><br>Kevin Horn<br>