[Twisted-Python] SSL problem

Steve Freitas sflist at ihonk.com
Thu Dec 21 01:49:44 EST 2006


Hi all.

I'm having trouble getting SSL working properly. I'm running a modified
t.m.pop3.POP3 server and it was running peachy on port 110, no problems
under real-world load, so I thought it'd be simple enough to add SSL
support by changing this...

INTERFACES = ('1.2.3.4','4.5.6.7', etc.)

for iface in INTERFACES:
    reactor.listenTCP(110, myPop3server, interface=iface)
reactor.run()

...to this:

INTERFACES = ('1.2.3.4','4.5.6.7', etc.)

sslContext = ssl.DefaultOpenSSLContextFactory(SSL_PRIVATE_KEY_FILE,
SSL_CERTIFICATE_FILE)

for iface in INTERFACES:
    reactor.listenTCP(110, myPop3server, interface=iface)
    reactor.listenSSL(995, myPop3server, interface=iface,
contextFactory=sslContext)
reactor.run()

Which worked fine when hitting it with a single client from my machine,
but failed miserably when hitting it from mail2web.com. Lots of errors
loading the message list and the messages. The log showed mail2web
connecting and then immediately dropping the connection. I tried
changing the code so I instantiated one sslContext per call to
listenSSL. That made it much better, but still not perfect. The errors
persisted.

So I tried dropping the calls to listenSSL, and wrapped the server with
stunnel. That worked perfectly, except since my host doesn't support
transparent proxying, my twisted app doesn't see the connecting client's
IP, and I need that, so that's not an option. It does implicate
twisted's particular flavor of SSL in my problems, though.

I don't know much about SSL, but I searched the twisted list and
couldn't find anything that helped, with the possible exception of a
query about support for SSL session resumption. I don't know what it is,
but it sounds useful. Anyway, if anybody could toss an idea or two my
way, I'd appreciate it.

Thanks,

Steve

P.S. for posterity: I got a tip from this list to use authbind when
trying to bind my twisted server to a privileged port (e.g. < 1024). For
those of you who might have trouble using authbind to allow your
non-root user to bind to ports between 512-1023, you need to get the
authbind source, then comment out helper.c:76 and libauthbind.c:151, at
least for version 1.1.5.2, where it checks the requested port against
IPPORT_RESERVED/2. The man page squawks about prohibiting these ports to
avoid creating a security hole in conjunction with rsh, but since rsh
_is_ a security hole, I'm not overly worried about that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20061221/1aa9086b/attachment.htm 


More information about the Twisted-Python mailing list