[Twisted-Python] txsni + alpn + acme (letsencrypt)
Daniel Holth
dholth at gmail.com
Sun Mar 24 19:17:04 MDT 2019
Do move it to twisted. I was surprised it wasn't already there.
On Sun, Mar 24, 2019, 17:39 Glyph <glyph at twistedmatrix.com> wrote:
> Thanks! I put some review comments on it. I would encourage others with
> interest in this area to have a look; I might not get back to this for a
> couple of weeks, but I'd be happy to give people collaborator permissions
> on the repo if they'd like to help out.
>
> (Frankly it's probably time that this project grew up and moved over to
> the Twisted org anyway, given that txacme depends on it...)
>
> -g
>
> On Mar 24, 2019, at 1:59 PM, Daniel Holth <dholth at gmail.com> wrote:
>
> Pull request for txsni acme https://github.com/glyph/txsni/pull/28
>
> On Sun, Mar 24, 2019, 16:33 Glyph <glyph at twistedmatrix.com> wrote:
>
>> Any chance you could include a link to the relevant PR? Pulling this out
>> of the raging tire-fire of my Github notifications would take an
>> unfortunately non-trivial amount of time - and I imagine that not everyone
>> subscribed might even be on the appropriate repos :).
>>
>> -g
>>
>> On Mar 24, 2019, at 9:26 AM, Daniel Holth <dholth at gmail.com> wrote:
>>
>> The cleaned up pull request should be really easy to try, with a
>> dehydrated:(basedir) string port. Go get some certs people!
>>
>> On Sun, Mar 24, 2019, 00:55 Glyph <glyph at twistedmatrix.com> wrote:
>>
>>> I think ACME_TLS_1 is a sufficiently high-entropy string that the
>>> likelihood of brokenness from this approach is basically zero.
>>>
>>> -g
>>>
>>> On Mar 23, 2019, at 9:20 PM, Daniel Holth <dholth at gmail.com> wrote:
>>>
>>> All we have to do is have some kind of per connection certificate store
>>> or flag. If acme is in the first packet and the special certificate exists,
>>> send it. Otherwise send the normal certificate, for a very short window of
>>> possible brokenness. Letsencrypt may or may not require correct alpn
>>> negotiation. Should be simple.
>>>
>>> I'm happy running the acme client separately and listing my domain
>>> instead of doing it all on demand inside twisted.
>>>
>>>
>>> On Sat, Mar 23, 2019, 23:59 Glyph <glyph at twistedmatrix.com> wrote:
>>>
>>>>
>>>>
>>>> > On Mar 23, 2019, at 4:06 PM, Daniel Holth <dholth at gmail.com> wrote:
>>>> >
>>>> > HOLY REGEX BATMAN
>>>> >
>>>> > class _ConnectionProxy(object):
>>>> >
>>>> > def bio_write(self, buf):
>>>> > if ACME_TLS_1 in buf:
>>>> > self.acme_tls_1 = True
>>>> > self.bio_write = self._obj.bio_write
>>>> > return self._obj.bio_write(buf)
>>>> > Now we can choose the acme certificate store in the sni callback and
>>>> > make letsencrypt happy!
>>>>
>>>> 1. Gross
>>>> 2. Hooray!
>>>>
>>>> -g
>>>>
>>>> _______________________________________________
>>>> Twisted-Python mailing list
>>>> Twisted-Python at twistedmatrix.com
>>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>>
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com
>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>
>>>
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com
>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20190324/7d2dff6d/attachment-0002.html>
More information about the Twisted-Python
mailing list