[Twisted-web] Converting endpoints.serverFromString to TLS_v3
Glyph
glyph at twistedmatrix.com
Sun Mar 29 16:29:00 MDT 2020
For what it's worth, the implementation of wrapServerTLS is fairly straightforward; you can see it here: https://github.com/glyph/txsni/blob/5014c141a7acef63e20fcf6c36fa07f0cd754ce1/txsni/tlsendpoint.py#L3-L12 <https://github.com/glyph/txsni/blob/5014c141a7acef63e20fcf6c36fa07f0cd754ce1/txsni/tlsendpoint.py#L3-L12>
We just need someone to write up some nice docstrings, update the docs, test cases, etc so we can integrate this into Twisted.
Once we've got that, we can quickly begin the process of eliminating SSL4ServerEndpoint. (We should not add an SSL6ServerEndpoint, as that would be as much or more work than adding wrapServerTLS, and a worse implementation strategy.)
-glyph
> On Mar 28, 2020, at 4:47 PM, Tom Most <twm at freecog.net> wrote:
>
> Hi Axel,
>
> I don't know offhand how to produce a string that does what you want, but it will probably be much easier to instantiate the endpoint classes directly.
>
> https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.SSL4ServerEndpoint.html <https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.SSL4ServerEndpoint.html>
>
> I think we're missing a SSL6ServerEndpoint, unfortunately.
>
> Also unfortunately, SSL4ServerEndpoint is an old-style API (it uses reactor.listenSSL underneath). It takes an IOpenSSLContextFactory that can customize the OpenSSL context arbitrarily.
>
> The new API, used by the ssl: client string syntax, is wrapClientTLS <https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#wrapClientTLS>. We don't have a wrapServerTLS yet, but it's definitely something we should have, if you're interested in adding it. You'd wrap that around TCP4ServerEndpoint and TCP6ServerEndpoint.
>
> ---Tom
>
>
> On Thu, Mar 26, 2020, at 12:24 PM, Axel Rau wrote:
>> Hi,
>>
>> how can I convert the plugin code below to recent security level, to TLSv3, dhparams and extraCertChain ?
>> Is OCSP stapling available in Twisted meanwhile?
>>
>> Thanks, Axel
>>
>> def makeService(self, options):
>> """
>> makeService() returns an IService.
>> twisted.internet.application.MultiService[1] is an IService that
>> composes other services (it's an IServiceCollection).
>> """
>> ipv4_server = endpoints.serverFromString(
>> reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format(
>> options['port'],
>> endpoints.quoteStringArgument(options['cert_path']),
>> endpoints.quoteStringArgument(options['key_path']),
>> options['ipv4_address']))
>>
>> ipv6_server = endpoints.serverFromString(
>> reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format(
>> options['port'],
>> endpoints.quoteStringArgument(options['cert_path']),
>> endpoints.quoteStringArgument(options['key_path']),
>> endpoints.quoteStringArgument(options['ipv6_address'])))
>>
>> ipv4 = internet.StreamServerEndpointService(ipv4_server, meteo_factory)
>> ipv6 = internet.StreamServerEndpointService(ipv6_server, meteo_factory)
>> root = MultiService()
>> ipv4.setServiceParent(root)
>> ipv6.setServiceParent(root)
>> return root
>>
>> serviceMaker = MeteoServiceMaker()
>>
>> ---
>> PGP-Key: CDE74120 ☀ computing @ chaos claudius
>>
>>
>> _______________________________________________
>> Twisted-web mailing list
>> Twisted-web at twistedmatrix.com <mailto:Twisted-web at twistedmatrix.com>
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web>
>>
>>
>> Attachments:
>> signature.asc
>
> _______________________________________________
> Twisted-web mailing list
> Twisted-web at twistedmatrix.com <mailto:Twisted-web at twistedmatrix.com>
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-web/attachments/20200329/d160d341/attachment.htm>
More information about the Twisted-web
mailing list