[Twisted-Python] SSL problem

Jean-Paul Calderone exarkun at divmod.com
Thu Dec 21 09:04:34 MST 2006 

On Thu, 21 Dec 2006 09:32:22 -0600, Steve Freitas <sflist at ihonk.com> wrote:
>Thanks for the response, JP.
>
>On Thu, 2006-12-21 at 09:54 -0500, Jean-Paul Calderone wrote:
>
> [snip]
>
>> I'd _guess_ your context object isn't configured
>> quite right.
>
>IOW, there's something wrong with the key/cert I'm feeding it? Calling
>ssl.DefaultOpenSSLContextFactory(SSL_PRIVATE_KEY_FILE,
>>SSL_CERTIFICATE_FILE) is so simple I'm not sure where I'd be going
>wrong. BTW, the cert was provided by RapidSSL, and it's what I used with
>stunnel as well.

It's possible (in fact, likely) you need to do something other than just
create the DefaultOpenSSLContextFactory, too.  There are a lot of dials
and knobs here - the context factory you're using works okay for a lot of
cases, but it isn't appropriate for all cases.

You have two pieces of data which are yours -  your private key and your
certificate (which is a csr signed by RapidSSL).  The client needs (at
least) one more piece of information, though - RapidSSL's certificate.

Try this.  Put RapidSSL's certificate into a file, subclass
DefaultOpenSSLContextFactory, override cacheContext, and on self._context,
call use_certificate_chain_file with the name of the file you put RapidSSL's
certificate into.

This causes the server to include it in the handshake which is often
required for clients to accept your certificate as valid.

>
>> At the very least, you
>> should share the SSL errors which are occurring.
>
>How do I get at these? I didn't see any tracebacks being tossed. I'm
>using 2.4.0.

At some point, I think connectionLost for SSL connections was adjusted
so that the SSL exception would be available.  However, the important
information is going to be on the client side, so unless that is using
Twisted as well (it sounds to me as though it is not), this won't help
you.  How to extract the extra information will depend on what software
is acting as the client.  Hopefully the above suggestion will resolve the
problem, though.

Jean-Paul

More information about the Twisted-Python mailing list