<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 19, 2015, at 8:36 AM, Louis D. Burr <<a href="mailto:ldanielburr@me.com" class="">ldanielburr@me.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=us-ascii" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Timothy,<div class="">
<br class=""><div class=""><blockquote type="cite" class=""><div class="">On Mar 19, 2015, at 9:56 AM, Timothy Gallagher <<a href="mailto:timothy.gallagher@nuspire.com" class="">timothy.gallagher@nuspire.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Hello all,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I have a project that requires client server with ssl/tls including client certificate authentication.  Also the a requirement is that the client needs to use a .p12 file to house its keys.  I have the server part and client part down except I cannot find any code examples using a .p12 file to get the certificates.  Can this be done without having to hack into the ssl.ClientConextFactory?</div></div></div></blockquote><div class=""><br class=""></div><div class="">Maybe <a href="http://stackoverflow.com/questions/6345786/python-reading-a-pkcs12-certificate-with-pyopenssl-crypto" class="">http://stackoverflow.com/questions/6345786/python-reading-a-pkcs12-certificate-with-pyopenssl-crypto</a> will be useful to you.  Twisted uses pyopenssl under the covers, so the solution exarkun posted to StackOverflow should be applicable.</div><div class=""><br class=""></div><div class="">Hope this helps,</div><div class=""><br class="">- L. Daniel Burr<br class=""></div></div></div></div></div></blockquote></div><br class=""><div class="">You definitely shouldn't use ssl.ClientContextFactory.  It doesn't verify certificates, or provide any authentication of the server.  We should really remove and deprecate it :-\.</div><div class=""><br class=""></div><div class="">You should use ssl.optionsForClientTLS, and you should build it like this:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">import getpass</div><div class=""><br class=""></div><div class="">from OpenSSL.crypto import load_pkcs12</div><div class="">from twisted.internet.ssl import (</div><div class="">    PrivateCertificate, KeyPair, Certificate, optionsForClientTLS</div><div class="">)</div><div class=""><br class=""></div><div class="">from twisted.internet.protocol import Factory, Protocol</div><div class="">from twisted.internet.endpoints import SSL4ClientEndpoint</div><div class="">from twisted.internet.defer import inlineCallbacks, Deferred</div><div class="">from twisted.internet.task import react</div><div class=""><br class=""></div><div class="">@inlineCallbacks</div><div class="">def main(reactor, p12file, host, port=443):</div><div class="">    host = host.decode("utf-8")</div><div class="">    port = int(port)</div><div class="">    with open(p12file) as f:</div><div class="">        pkcs12 = load_pkcs12(f.read(), getpass.getpass())</div><div class="">        publicCertificate = Certificate(pkcs12.get_certificate())</div><div class="">        privateKey = KeyPair(pkcs12.get_privatekey())</div><div class="">        privateCertificate = PrivateCertificate.fromCertificateAndKeyPair(</div><div class="">            publicCertificate, privateKey</div><div class="">        )</div><div class="">    contextFactory = optionsForClientTLS(host,</div><div class="">                                         clientCertificate=privateCertificate)</div><div class="">    endpoint = SSL4ClientEndpoint(reactor, host, port, contextFactory)</div><div class="">    x = Deferred()</div><div class="">    class it(Protocol, object):</div><div class="">        def connectionMade(self):</div><div class="">            self.transport.write(b"GET / HTTP/1.1\r\n\r\n")</div><div class="">        def dataReceived(self, data):</div><div class="">            x.callback(Certificate.peerFromTransport(self.transport))</div><div class="">            self.transport.abortConnection()</div><div class="">    yield endpoint.connect(Factory.forProtocol(it))</div><div class="">    cert = yield x</div><div class="">    print(cert)</div><div class=""><br class=""></div><div class="">from sys import argv</div><div class="">react(main, argv[1:])</div></div></blockquote><div class=""><br class=""></div><div class="">Hopefully that's a pretty complete answer :-).</div><div class=""><br class=""></div><div class="">-glyph</div></body></html>