[Twisted-Python] twisted ssl server and client
Hynek Schlawack
hs at ox.cx
Sun Nov 9 03:47:39 MST 2014
John,
On 7 Nov 2014, at 14:14, John Aherne wrote:
> Thanks for the reply.
>
> In the end I took the examples in the docs and changed them to fit.
>
> So I have ended up with something that seems to work.
>
> But I wouldn't mind if someone can tell me if what I have done is
> miles
> wrong or spot on or could do with improvement or you have missed the
> point
> completely.
I’m a bit confused as for what you’re trying to achieve. Let me
give you general pointers and maybe you’ll ask more specific questions
afterwards.
I understand you want to use TLS both from a server and a client.
Servers and clients have very different duties when it comes to TLS (and
if you want to hear/learn more about them, you may want to take some
time and watch my PyCon talk about it:
https://www.youtube.com/watch?v=SBQB_yS2K4M ).
The *server* needs to make sure that its certificate chain is
trustworthy, for that you need to load the certificate and the chain
file you got from GoDaddy. FWIW, you may want to use
https://warehouse.python.org/project/pem/ for that because it takes some
tediousness from it.
You should use some third-party application to verify you really got
that right (don’t use the openssl CLI program, it’s confusing).
The *client* needs to verify the aforementioned certificate chain for
its trustworthiness and whether it’s valid for the hostname you wanted
to connect to. In order to verify the trustworthiness, it requires a
list of CAs it trusts. One of them has to sign your final certificate
in your chain file.
As glyph mentioned, loading CAs is a bit finicky and I have no
experience on Windows unfortunately. There is
https://warehouse.python.org/project/wincertstore/ to extract them from
the Windows store but I have no idea whether the output is useful with
pyOpenSSL/Twisted. A useful fallback is to use the bundle you get from
https://warehouse.python.org/project/certifi/ . If you’d like to help
us to make this more friendly for Windows users we’d (and they!) would
be eternally indebted. :)
It’s also worth noting, that you’re using the obsolete
`DefaultOpenSSLContextFactory`, please use
`twisted.internet.ssl.CertificateOptions` instead. Is it possible, that
you’re reading an older version of the TLS docs? Make sure to use
http://twistedmatrix.com/documents/current/core/howto/ssl.html and also
run Twisted 14.0.2 if you’re serious about using TLS.
Let us know if there’s something else unclear.
—h
More information about the Twisted-Python
mailing list