[Twisted-web] Making Secure HTTPS requests, SSL Method, and Certificate Management using Twisted

Carl Waldbieser cwaldbieser at gmail.com
Mon Oct 6 08:55:31 MDT 2014 

I have a couple projects I am working on where I would like to make HTTPS
requests using Twisted.  I reviewed the articles "Using TLS in Twisted" [1]
and "Using the Twisted Web Client" (section "HTTP over SSL") [2].  It seems
like various options exist that will allow me to make HTTPS requests using
the CA certs bundled on the client OS.

I would like to be able to tell my HTTPS clients to accept specific
*internal* CA certificates *in addition* to the certificates provided by
the OS.  Initially, I thought this might be possible by passing a custom
t.w.c.BrowserLikePolicyForHTTPS to the t.w.c.Agent as its `contextFactory`
argument. I wasn't quite sure how to go about doing this, so I got some
advice on StackOverflow [3]. With some slight modifications to the solution
presented there, I was able to create a custom Trust Root that accepted a
list of paths to CA cert files in PEM format that I wanted to add to the
client. The custom trust root is passed to the BrowserLikePolicyForHTTPS.
The policy is passed to the Agent.

The one hitch is that the IOpenSSLTrustRoot interface upon which my custom
trust root is based is located in `twisted.internet._sslverify`[4], which
if I understand correctly, is a private module and not supposed to be used
as an API.  Is there a *supported* way to specify *additional* CA certs to
use during SSL verification when making HTTPS requests using Twisted? If
so, what is the recommended method?

Another related concept that was not clear to me is how one might specify
the SSL method (e.g. SSLv23_METHOD, SSLv3_METHOD, etc.) when making the
request. Is there some recommended way to pass options to indicate the SSL
method that ought to be used?

Any guidance would be appreciated.

Thanks,
Carl Waldbieser


[1] https://twistedmatrix.com/documents/current/core/howto/ssl.html
[2]
http://twistedmatrix.com/documents/current/web/howto/client.html#http-over-ssl
[3]
http://stackoverflow.com/questions/26166444/twisted-python-how-to-create-a-twisted-web-client-browserlikepolicyforhttps-with
[4]
http://twistedmatrix.com/documents/current/api/twisted.internet._sslverify.IOpenSSLTrustRoot.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-web/attachments/20141006/f0f8c111/attachment.html>

More information about the Twisted-web mailing list