[Twisted-Python] SSLContext not valid for TLS Server

Thomas Hartwich ceeborraa at gmx.de
Sat Aug 19 10:55:16 MDT 2017 

Again as text mail... sorry!

Ok, let me try to provide some detailled information, hope it helps:
 
> openssl version -a:
OpenSSL 1.1.0f  25 May 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\""  -Wa,--noexecstack
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
 
> uname -vr
4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)
 
 
> Installed python3 (3.5.3) packages via pip:
cryptography 2.0.3
pyopenssl 17.2.0
Twisted 17.5.0
 
I linked cryptography with the following flags:
CFLAGS="-I/usr/local/include"
LDFLAGS="-L/usr/local/lib"
 
I think I know where the problem is. It's obviously not Twisted. I'm using an ECC private key from curve secp521r1 and as far as I understand, pyOpenSSL still has some problems with supporting this type of private keys.
 
Its some kind of strange behaviour. I can parse the ECC key from file and do some operations with it (e.g. signing a file) which works well.
But if I just call the check() method of the pkey object, I get the error: "Unsupported key type" from pyOpenSSL. I think this is the reason why Twisted cannot get the TLS options from it.
A similar situation is being described here: https://github.com/pyca/pyopenssl/issues/291
 
I tried to follow the workaround being described in the issue from the link above, namely to serialise the private key to cryptography and later to convert it to a pyOpenSSL pkey object, but it still does not support the key type.
 
Maybe you have an idea of how to get those things work?
 
Thank you 
 

Gesendet: Freitag, 18. August 2017 um 07:23 Uhr
Von: Glyph <glyph at twistedmatrix.com>
An: "Twisted general discussion" <twisted-python at twistedmatrix.com>
Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server
> On Aug 16, 2017, at 1:15 PM, ceeborraa <ceeborraa at gmx.de> wrote:
>
> Hi,
>
> I'm running Twisted 17.5.0 on Python 3.5.3 and want to create a TLS server with Twisted. I strictly sticked to the example of echoserv_ssl.py on http://twistedmatrix.com/documents/current/core/howto/ssl.html, but TLS server is not running properly.
>
> Despite the server starts correctly, it doesn't offer any cipher suites to the client, no matter what kind of client is trying to connect. Any time a client connects, the connection is immediately aborted by server with the error message of:
>
> <class 'OpenSSL.SSL.Error'>: [('SSL routines','tls_post_process_client_hello',no shared cipher')]
>
> I tried to connect to server with the TLS echo client example of echoclient_ssl.py, with openssl s_client command and with nmap by using the --ssl-enum-ciphers script. Each time it failed with the above error message.
>
> If I do not use the options offered by ssl.CertificateOptions() as suggested in the example, but instead create a ssl.DefaultOpenSSLContextFactory() where I provide the privateKey and Certificate as filename-strings, the server works correctly and offers the intended cipher suites.
>
> But I need to create the SSLContext from a OpenSSL PKey-Object (private Key) and a OpenSSL Certificate-Object. Therefore I adjusted the server code of the TLS server example to:
>
> certificate = ssl.Certificate(cert_obj)
> privkey = ssl.KeyPair(pkey) # pkey is the OpenSSL PKey object
> prkey_and_cert = ssl.PrivateCertificate.fromCertificateAndKeyPair(certificate,privkey)
>
> factory = protocol.Factory.forProtocol(Echo)
> reactor.listenSSL(7498,factory,prkey_and_cert.options())
>
> Again, the server starts, but it does not provide cipher suites so that no client can connect. Same as above!
>
> Appreciate any help!

This sounds like it might be a configuration problem with your build of OpenSSL. Can you post the most detailed explanation of what versions of everything you're using that you can? Particularly: your operating system, any installed version of OpenSSL, cryptography? (If you know how to check which OpenSSL cryptography is linked to, that would be great too.) What attributes does the private key have?

Thanks for using Twisted,

-g

_______________________________________________
Twisted-Python mailing list
Twisted-Python at twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python]

More information about the Twisted-Python mailing list