[Twisted-Python] txsni + alpn + acme (letsencrypt)

Daniel Holth dholth at gmail.com
Sun Mar 24 14:59:38 MDT 2019


Pull request for txsni acme https://github.com/glyph/txsni/pull/28

On Sun, Mar 24, 2019, 16:33 Glyph <glyph at twistedmatrix.com> wrote:

> Any chance you could include a link to the relevant PR?  Pulling this out
> of the raging tire-fire of my Github notifications would take an
> unfortunately non-trivial amount of time - and I imagine that not everyone
> subscribed might even be on the appropriate repos :).
>
> -g
>
> On Mar 24, 2019, at 9:26 AM, Daniel Holth <dholth at gmail.com> wrote:
>
> The cleaned up pull request should be really easy to try, with a
> dehydrated:(basedir) string port. Go get some certs people!
>
> On Sun, Mar 24, 2019, 00:55 Glyph <glyph at twistedmatrix.com> wrote:
>
>> I think ACME_TLS_1 is a sufficiently high-entropy string that the
>> likelihood of brokenness from this approach is basically zero.
>>
>> -g
>>
>> On Mar 23, 2019, at 9:20 PM, Daniel Holth <dholth at gmail.com> wrote:
>>
>> All we have to do is have some kind of per connection certificate store
>> or flag. If acme is in the first packet and the special certificate exists,
>> send it. Otherwise send the normal certificate, for a very short window of
>> possible brokenness. Letsencrypt may or may not require correct alpn
>> negotiation. Should be simple.
>>
>> I'm happy running the acme client separately and listing my domain
>> instead of doing it all on demand inside twisted.
>>
>>
>> On Sat, Mar 23, 2019, 23:59 Glyph <glyph at twistedmatrix.com> wrote:
>>
>>>
>>>
>>> > On Mar 23, 2019, at 4:06 PM, Daniel Holth <dholth at gmail.com> wrote:
>>> >
>>> > HOLY REGEX BATMAN
>>> >
>>> > class _ConnectionProxy(object):
>>> >
>>> >    def bio_write(self, buf):
>>> >        if ACME_TLS_1 in buf:
>>> >            self.acme_tls_1 = True
>>> >        self.bio_write = self._obj.bio_write
>>> >        return self._obj.bio_write(buf)
>>> > Now we can choose the acme certificate store in the sni callback and
>>> > make letsencrypt happy!
>>>
>>> 1. Gross
>>> 2. Hooray!
>>>
>>> -g
>>>
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com
>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20190324/1a7410f0/attachment-0002.html>


More information about the Twisted-Python mailing list