[Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

Paweł Miech pawelmhm at gmail.com
Tue Jul 12 10:42:28 MDT 2016


> Agreed. I’m planning to begin the deprecation process, though it will
take a little while as we need to remove all uses of it from within the
Twisted codebase itself, as well as from the documentation. That turns out
to be a bigger task than expected!

+1

One final point that I glossed over earlier

> To be clear, I was not responding to your specific needs but discussing
Glyph’s wider point about alerting when bad configuration is present.

When using Twisted endpoints (e.g. serverFromString) the problem with bad
openssl configuration is not bad. If OS does not support ALPN (OpenSSL
versions below 1.0.2) so in vast majority of Linux systems currently in use
Chrome connection simply falls back to HTTP 1.1 (I tested this on Ubuntu
14.04), This means there is no error and content is served, so it's some
sort of graceful degradation. This behavior is identical to nginx. I'm not
sure if Twisted can and should do something about this. Maybe it can print
some warning or maybe it can just let users know in documentation that
HTTP2 support via ALPN (which is required in Chrome) requires Openssl
1.0.2? Adding warnings to code might require some extra development but it
does not look that difficult. If you think about this, you probably dont
need to check ciphers available in system, you can probably only
check OpenSSL version available and check if client attempts to use ALPN.

2016-07-12 17:13 GMT+02:00 Cory Benfield <cory at lukasa.co.uk>:

>
> On 12 Jul 2016, at 09:33, Paweł Miech <pawelmhm at gmail.com> wrote:
>
> If you google for "ssl in twisted" you will also find articles that
> recommend it. Since so many people use it, maybe it could be updated to be
> more secure? If it does not make sense to update it then perhaps it would
> be good to deprecate it so that it does not confuse users?
>
>
> Agreed. I’m planning to begin the deprecation process, though it will take
> a little while as we need to remove all uses of it from within the Twisted
> codebase itself, as well as from the documentation. That turns out to be a
> bigger task than expected!
>
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20160712/da4a1892/attachment-0002.html>


More information about the Twisted-Python mailing list