[Twisted-Python] twisted ssl server and client
John Aherne
johnaherne at rocs.co.uk
Wed Nov 5 03:54:38 MST 2014
Apologies in advance for the rather basic questions I have here, but I am a
bit stuck.
I am looking at ssl with twisted 14.0.0
I have loaded all the dependencies crypto, pycrypto, service_identity, six,
idna, cffi, pyasn1, pyopenssl 0.14, openssl 1.0.1g
I am running this on windows7, windows 2008r2
I have read through Using TLS in Twisted several times but still find
myself not sure as to what I should do.
I need both server and client set up.
I have a server end where I have a GoDaddy certificate and certificate
chain. So on the server end I need to pass to ssl.CertificateOptions the
privatekey and certificate.
I also need to pass in the location of the GoDaddy bundle.
I have a set up using Cherrypy and this now works fine. But I need it
working with Twisted.
Now this is where I am not so clear. Should I pass the bundle as TrustRoot
or as extraCertChain.
The docs seem to say that on Windows there is no cert store to be used as
trustRoot.
If anyone can throw some light on this I would be very grateful.
For the client using Twisted.web.Agent, I need to verify a different ssl
certificate on another server system I connect to.
At the moment, I can connect without verifying the certificate, but these
days that is no longer acceptable.
So I try the example in the docs for checking a certificate but it fails on
all examples, including www.twistedmatrix.com. I assume this is because I
do not have a default set of certificates in a store to check against.
If I use the requests package I can get it to verify or not the server
certificate, but when I turn to twisted it is not clear what I should be
doing.
The example specifies an 'authority' public.pem for the client to check
against.
So should I be looking for the way requests works where I do not specify an
authority and it works by finding a bunch of certs somewhere.
Or do I pass in a cert that is specific to the server I am connecting to
and it will only check against that. This seems more specific and more
secure.
A final point. I need to be able to confirm which version of openssl I am
connecting with. Is there a way to pin down which version pyopenssl is
finding.
Thanks for any information and pointers.
--
*John Aherne*
*www.rocs.co.uk <http://www.rocs.co.uk>*
020 7223 7567
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-python/attachments/20141105/b8459aff/attachment-0001.html>
More information about the Twisted-Python
mailing list