[Twisted-Python] Serving WSGIResource via SSL endpoint

Glyph glyph at twistedmatrix.com
Fri Aug 15 02:15:53 MDT 2014 

On Aug 14, 2014, at 3:54 PM, Piper Masden <piper.masden at gmail.com> wrote:

> Hi Twistedeers!
> 
>   I have a twisted plugin that I created to replace the Django dev server for our devs.

Cool!

> It sets up a separate twisted service for serving media, so we don't need any urls.py tomfoolery in dev. It also sets up an experimental REST api server which we hope to make javascript requests to in the near future.

Glad to hear you're using Twisted for this.

>   The core of the code looks like this:
> 
>     resource = WSGIResource(reactor, reactor.getThreadPool(), WSGIHandler())
>     endpoint = 'tcp:port=8000'
>     server = strports.service(endpoint, server.Site(resource))
>     server.setServiceParent(application)
> 
>   This has worked great for a while. However, we have some views that we require https on, and so this dev server doesn't allow us to get to those views at all. I generated a .key file and a .crt file with openssl, and then cat'd them together to make a pem, and then changed the endpoint to be...
> 
>     endpoint = 'ssl:port=8000:privateKey=/path/to/key.pem'
> 
>   Now when I open my browser and type https://localhost:8000, chrome just hangs. I don't really know how to diagnose this, because I don't really know anything about SSL (it's all just magic security goodness to me). I don't necessarily need a direct answer (though it will certainly make me look good to all the other devs), but maybe some pointers in the right direction would help.

This isn't really enough information to diagnose a problem, but here are some things you could try:

openssl s_client -connect localhost:8000
curl -vvvv https://localhost:8000/

These should output some stuff about your TLS connection, and will perhaps emit an error message which looks obvious to you.  If not, seeing some of that output might be useful to help diagnose it.  Also, trying other web browsers is always helpful.

You might also try replacing your SSL string endpoint description with a TXSNI endpoint plugin: <https://github.com/glyph/txsni>.  This is just a little easier to get right because of how it reads certificates (for example you don't need to get your private key, chain cert, and main cert in the right order, as long as they're all in the appropriate file.

-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20140815/0ca60cf4/attachment-0002.html>

More information about the Twisted-Python mailing list