[Twisted-Python] Does Twisted support ECC for TLS?

Justin Myles Holmes twotonespirit at gmail.com
Sat Mar 3 21:14:49 MST 2018 

Righto!

I notice that there's an issue on PyOpenSSL which appears to address this:

https://github.com/pyca/pyopenssl/pull/636

However, it's not clear that this actually moves the issue forward, as it
only provides for getting a PKey from a cryptography EC key, not for
actually using it for TLS.

One interesting tidbit I've noticed is that txsni does appear to support
TLS with ciphers that use SECP256R1 (also called "NIST P-256" - a curve of
questionable parentage), but not SECP256K1 (a curve used by several
prominent blockchain projects).

I'm not entirely sure where to turn next.



On Sat, Mar 3, 2018 at 7:06 PM, Glyph <glyph at twistedmatrix.com> wrote:

>
>
> On Mar 3, 2018, at 2:38 PM, Justin Myles Holmes <twotonespirit at gmail.com>
> wrote:
>
> I'm trying to bend a little bit of custom TLS - one possible use case for
> me is a HendrixDeploy object which uses an ethereum keypair to self-sign a
> certificate.
>
> So I'm wondering: is it currently possible to use an ECC keypair for TLS
> with Twisted?
>
> Here's what I've discovered:
>
> twisted.internet.sssl.ContextFactory has a method, use_privatekey().
> This thing wants an OpenSSL.crypto.PKey object.  And, lo and behold, PKey
> offers a facility, from_cryptography_key(), which attempts to use a key
> from cryptography.io, from whence I'm generating keys anyway.  However,
> it expects an RSA or DSA key, not an EC or ECDSA key.
>
> Glyph suggested that, instead of trying to handle PKeys myself, I might
> try loading PEM files with txsni or the like.
>
> I can actually get txsni to work with my cert/keypair, but I don't seem to
> be able to get a client to connect.  For example, Firefox tells me
> "SSL_ERROR_NO_CYPHER_OVERLAP".
>
> I tried the same things with SSL4ServerEndpoint, and I get exactly the
> same thing - my protocol's dataReceived method is never run, no output
> appears in the console, but the client gets this same error.
>
> I notice that there's an issue on PyOpenSSL which appears to address this:
>
>
> Looks like your message was truncated before getting to the link :-).
>
> -glyph
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>


-- 
Justin Myles Holmes
justinholmes.com
thisisthebus.com
github.com/jMyles/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20180303/6d3900e0/attachment-0002.html>

More information about the Twisted-Python mailing list