[Twisted-Python] SSL: Getting the client certificate

Dirk Loss lists at dirk-loss.de
Sun Aug 26 16:23:49 EDT 2007


Jean-Paul Calderone wrote:
> This solution has at least two related problems:
>  * it will block the reactor until the handshake for that client completes,

Yes, it's ugly. Not being able to run other application code is no 
problem in my case, so I thought I could live with that. But the possibe 
DoS attack you mentioned should be avoided, of course.

> The ideal solution would be to fix the bug in Twisted's SSL support so that
> connectionMade is called at the right time.  

This would be nice. Maybe I should take a deeper look at Twisted's SSL code.

> Another possible solution might be to do your verification using the SSL context object.  

Could you elaborate on this? I think I am already using the SSL context 
object to do the verification:

theCert = ssl.PrivateCertificate.loadPEM(open(myKey).read())
theCA = ssl.Certificate.loadPEM(open(trustedCA).read())
ctx = theCert.options(theCA)
ctx.verify = True
ctx.verifyDepth = 9
ctx.requireCertificate = True
ctx.verifyOnce = False
application = service.Application("MySSLServer")
MyService = internet.SSLServer(listenport, MyAppFactory(), ctx)
MyService.setServiceParent(application)

(Above code obviously will not run. Just to show the basic steps I take.)

Regards
Dirk




More information about the Twisted-Python mailing list