[Twisted-Python] TCP startTLS() negotiation
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Mon Aug 17 19:51:59 MDT 2009
On 15 Aug, 04:49 pm, kgeorge at tcpsoft.com wrote:
>I've noticed some behavior when negotiating TLS using startTLS(). I'm
>starting TLS on both sides of the connection at the same time to
>validate
>peer certificates using a custom callback. If I call startTLS()
>without
>any subsequent writes to the socket the negotiation never completes.
>However, if I write data immediately post startTLS() the negotiation
>(and
>the callback to the OpenSSL verify callback) is successful. But I
>don't
>want to do this because I want to wait until verification to proceed
>with
>communicating on the channel. So I traced through tcp.py and noticed
>that
>in Connection.startTLS() reads and writes are stopped while the
>negotiation is taking place. However, only reading is reenabled
>afterwards. I suppose this is why doing a write unblocks the
>connection.
>When I do something like this in my code I don't have to make a write:
>
>self.transport.startTLS(SSLContextFactory(...))
>self.transport.startWriting()
>
>The context factory makes its own SSL.Context very similar to
>_sslverify,
>but with a callback I can hook for verification.
>
>So the question is, why is reading reenabled but not writing? When I
>apply the patch below it works.
This sounds like a real bug. Probably it came from a naive copying of
some TCP code which doesn't have to do the initial writing that is
necessary for SSL. Can you file a ticket?
Jean-Paul
More information about the Twisted-Python
mailing list