[Twisted-Python] SSLContext not valid for TLS Server

Glyph glyph at twistedmatrix.com
Thu Aug 17 23:23:40 MDT 2017 

> On Aug 16, 2017, at 1:15 PM, ceeborraa <ceeborraa at gmx.de> wrote:
> 
> Hi,
> 
> I'm running Twisted 17.5.0 on Python 3.5.3 and want to create a TLS server with Twisted. I strictly sticked to the example of echoserv_ssl.py on http://twistedmatrix.com/documents/current/core/howto/ssl.html, but TLS server is not running properly. 
> 
> Despite the server starts correctly, it doesn't offer any cipher suites to the client, no matter what kind of client is trying to connect. Any time a client connects, the connection is immediately aborted by server with the error message of: 
> 
> <class 'OpenSSL.SSL.Error'>: [('SSL routines','tls_post_process_client_hello',no shared cipher')]
> 
> I tried to connect to server with the TLS echo client example of echoclient_ssl.py, with openssl s_client command and with nmap by using the --ssl-enum-ciphers script. Each time it failed with the above error message.
> 
> If I do not use the options offered by ssl.CertificateOptions() as suggested in the example, but instead create a ssl.DefaultOpenSSLContextFactory() where I provide the privateKey and Certificate as filename-strings, the server works correctly and offers the intended cipher suites.
> 
> But I need to create the SSLContext from a OpenSSL PKey-Object (private Key) and a OpenSSL Certificate-Object. Therefore I adjusted the server code of the TLS server example to: 
> 
> certificate = ssl.Certificate(cert_obj)
> privkey = ssl.KeyPair(pkey)    # pkey is the OpenSSL PKey object
> prkey_and_cert = ssl.PrivateCertificate.fromCertificateAndKeyPair(certificate,privkey)
> 
> factory = protocol.Factory.forProtocol(Echo)
> reactor.listenSSL(7498,factory,prkey_and_cert.options())
> 
> Again, the server starts, but it does not provide cipher suites so that no client can connect. Same as above!
> 
> Appreciate any help!

This sounds like it might be a configuration problem with your build of OpenSSL.  Can you post the most detailed explanation of what versions of everything you're using that you can?  Particularly: your operating system, any installed version of OpenSSL, cryptography?  (If you know how to check which OpenSSL cryptography is linked to, that would be great too.)  What attributes does the private key have?

Thanks for using Twisted,

-g

More information about the Twisted-Python mailing list