[Twisted-Python] Does Twisted support ECC for TLS?

Justin Myles Holmes twotonespirit at gmail.com
Sat Mar 3 23:31:49 MST 2018


OK, I think I've got it figured out, but I'm still not sure what to do
about it.

In twisted.internet._sslverify.py, there's:

_defaultCurveName = u"prime256v1"

Then, later, this curve is set as self.ecCurve on
OpenSSLCertificateOptions.  There appears to be no way to change this, but
of course "prime256v1" is not the curve I want.

There was a PR recently merged - #928, which uses a PyOpenSSL curve instead
of the proxy class which existed prior.  However, it still doesn't allow me
to pass a curve name or nid - how can I specify a curve of my choice?

On Sat, Mar 3, 2018 at 8:14 PM, Justin Myles Holmes <twotonespirit at gmail.com
> wrote:

> Righto!
>
> I notice that there's an issue on PyOpenSSL which appears to address this:
>
> https://github.com/pyca/pyopenssl/pull/636
>
> However, it's not clear that this actually moves the issue forward, as it
> only provides for getting a PKey from a cryptography EC key, not for
> actually using it for TLS.
>
> One interesting tidbit I've noticed is that txsni does appear to support
> TLS with ciphers that use SECP256R1 (also called "NIST P-256" - a curve of
> questionable parentage), but not SECP256K1 (a curve used by several
> prominent blockchain projects).
>
> I'm not entirely sure where to turn next.
>
>
>
> On Sat, Mar 3, 2018 at 7:06 PM, Glyph <glyph at twistedmatrix.com> wrote:
>
>>
>>
>> On Mar 3, 2018, at 2:38 PM, Justin Myles Holmes <twotonespirit at gmail.com>
>> wrote:
>>
>> I'm trying to bend a little bit of custom TLS - one possible use case for
>> me is a HendrixDeploy object which uses an ethereum keypair to self-sign a
>> certificate.
>>
>> So I'm wondering: is it currently possible to use an ECC keypair for TLS
>> with Twisted?
>>
>> Here's what I've discovered:
>>
>> twisted.internet.sssl.ContextFactory has a method, use_privatekey().
>> This thing wants an OpenSSL.crypto.PKey object.  And, lo and behold, PKey
>> offers a facility, from_cryptography_key(), which attempts to use a key
>> from cryptography.io, from whence I'm generating keys anyway.  However,
>> it expects an RSA or DSA key, not an EC or ECDSA key.
>>
>> Glyph suggested that, instead of trying to handle PKeys myself, I might
>> try loading PEM files with txsni or the like.
>>
>> I can actually get txsni to work with my cert/keypair, but I don't seem
>> to be able to get a client to connect.  For example, Firefox tells me
>> "SSL_ERROR_NO_CYPHER_OVERLAP".
>>
>> I tried the same things with SSL4ServerEndpoint, and I get exactly the
>> same thing - my protocol's dataReceived method is never run, no output
>> appears in the console, but the client gets this same error.
>>
>> I notice that there's an issue on PyOpenSSL which appears to address this:
>>
>>
>> Looks like your message was truncated before getting to the link :-).
>>
>> -glyph
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>>
>
>
> --
> Justin Myles Holmes
> justinholmes.com
> thisisthebus.com
> github.com/jMyles/
>



-- 
Justin Myles Holmes
justinholmes.com
thisisthebus.com
github.com/jMyles/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20180303/d0c46fb3/attachment-0002.html>


More information about the Twisted-Python mailing list