Ticket #3278 defect new
StartTLS doesn't work in AMP when both peers are TCP clients.
|Reported by:||Stas Shtin||Owned by:|
In my application clients are connected to server that sometimes acts as a proxy for them. Secure communication is one of requirements, and data shouldn't be readable by server as well. When I send AMP's StartTLS command that should go from client A to client B through the proxy, I get an error from OpenSSL. After looking at TCP dump, I've found out that both clients are starting TLS connection by sending client hello, which leads to "Bad message type" failure.
In my opinion, AMP should determine whether a peer should act as client or server for TLS connections depending on it being sender or receiver of StartTLS command, but not client or server for the TCP connection as it currently is. Otherwise it can't be used in non-trivial setups without monkey-patching.
For client side, twisted.internet.tcp.BaseClient.startTLS method is used to initiate TLS connection. It has an optional parameter client=1. So we can make the receiver of StartTLS amp command to act as server even if it on client side of connection. On server side, t.i.t.Server.startTLS is called that can in turn be used as TLS client, not server. But Server's optional parameter is server=1, so they have different method signature and duplicated code instead.
I've made a patch that fixes the problem that should explain previous paragraph more clearly.