[Twisted-Python] SSLContext not valid for TLS Server

Thomas Hartwich ceeborraa at gmx.de
Sun Aug 20 10:30:31 MDT 2017


 Ok, I finally got a solution for my problem. As I know, the TLS server was working with DefaultOpenSSLContextFactory but this only takes file paths to private key/certificate, I created my own SSL-Context file.

For anybody who has the same problem:

class MySSLContext(ssl.ContextFactory):
    
    _context = None
    
    def __init__(self,privateKey, certificate, sslmethod=SSL.TLSv1_2_METHOD, _contextFactory=SSL.Context):
        
        self.privateKey = privateKey
        self.certificate = certificate
        self._contextFactory = _contextFactory
        self.sslmethod = sslmethod
        
        self.cacheContext()
        
    def cacheContext(self):
        
        if(self._context is None):
            
            ctx = self._contextFactory(self.sslmethod)
            
            ctx.set_options(SSL.OP_NO_SSLv2)
            ctx.set_options(SSL.OP_NO_SSLv3)
            ctx.use_privatekey(self.privateKey)
            ctx.use_certificate(self.certificate)
            
            self._context = ctx
            
    def getContext(self):
        
        return self._context

This context can now work with the EC private key from secp521r1!
 

Gesendet: Mittwoch, 16. August 2017 um 22:15 Uhr
Von: ceeborraa <ceeborraa at gmx.de>
An: twisted-python at twistedmatrix.com
Betreff: [Twisted-Python] SSLContext not valid for TLS Server

Hi,
I'm running Twisted 17.5.0 on Python 3.5.3 and want to create a TLS server with Twisted. I strictly sticked to the example of echoserv_ssl.py on http://twistedmatrix.com/documents/current/core/howto/ssl.html, but TLS server is not running properly.
Despite the server starts correctly, it doesn't offer any cipher suites to the client, no matter what kind of client is trying to connect. Any time a client connects, the connection is immediately aborted by server with the error message of:
<class 'OpenSSL.SSL.Error'>: [('SSL routines','tls_post_process_client_hello',no shared cipher')]
I tried to connect to server with the TLS echo client example of echoclient_ssl.py, with openssl s_client command and with nmap by using the --ssl-enum-ciphers script. Each time it failed with the above error message.
If I do not use the options offered by ssl.CertificateOptions() as suggested in the example, but instead create a ssl.DefaultOpenSSLContextFactory() where I provide the privateKey and Certificate as filename-strings, the server works correctly and offers the intended cipher suites.
But I need to create the SSLContext from a OpenSSL PKey-Object (private Key) and a OpenSSL Certificate-Object. Therefore I adjusted the server code of the TLS server example to:
certificate = ssl.Certificate(cert_obj)
privkey = ssl.KeyPair(pkey)    # pkey is the OpenSSL PKey object
prkey_and_cert = ssl.PrivateCertificate.fromCertificateAndKeyPair(certificate,privkey)
factory = protocol.Factory.forProtocol(Echo)
reactor.listenSSL(7498,factory,prkey_and_cert.options())
Again, the server starts, but it does not provide cipher suites so that no client can connect. Same as above!
Appreciate any help!
_______________________________________________ Twisted-Python mailing list Twisted-Python at twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python]




More information about the Twisted-Python mailing list