Hello,
The other day, we had a Scrapy user report an issue connecting to
https://www.skelbiu.lt/ with OpenSSL 1.1 [1]
To not mix scrapy's things with Twisted Web, I used this (adapted from
official docs):
#---------------
from __future__ import print_function
from twisted.internet import reactor
from twisted.web.client import Agent
from twisted.web.http_headers import Headers
agent = Agent(reactor)
d = agent.request(
'GET',
'https://www.skelbiu.lt/',
Headers({'User-Agent': ['Twisted Web Client Example']}),
None)
def cbResponse(ignored):
print('Response received')
d.addCallback(cbResponse)
def cbShutdown(ignored):
print(ignored)
reactor.stop()
d.addBoth(cbShutdown)
reactor.run()
#---------------
And I did get a Handshake failure too:
$ python twistedtest.py
[Failure instance: Traceback (failure with no frames): <class
'twisted.web._newclient.ResponseNeverReceived'>:
[<twisted.python.failure.Failure OpenSSL.SSL.Error: [('SSL routines',
'ssl3_read_bytes', 'sslv3 alert handshake failure')]>]
]
It seems this happens (at least) with OpenSSL 1.1.0e (currently in Debian 9
sid [2])
It does not happen (for me) with OpenSSL 1.0.2g for example.
I dug into this this afternoon and narrowed it down to the use of
_defaultCurveName = u"prime256v1"
in twisted.internet._sslverify.py
I tried patching the current trunk with _defaultCurveName = u"secp384r1"
(the EC that ssllabs.com reports)
and it did work.
Looking at ClientHello messages for openssl 1.0.2 and 1.1 [4]:
with 1.1, only 1 Elliptic Curve is sent by Twisted Web Agent, secp256r1
openssl v1.1 client uses 4 by default: ecdh_x25519, secp256r1, secp521r1,
secp384r1
I was wondering what is the proper way to configure requested Elliptic
Curves.
I haven't seen any interface for this, contrary to ciphers with
acceptableCiphers.
Thank you for your input.
Best,
Paul.
[1] https://github.com/scrapy/scrapy/issues/2717
[2] https://packages.debian.org/fr/source/sid/openssl
[3]
https://github.com/twisted/twisted/blob/78679af87e349721a167f35bef239e192e9…
[4] https://github.com/scrapy/scrapy/issues/2717#issuecomment-297464034
Hi,
Since I have a couple of projects building on nevow that I'd like to
keep maintaining into the post-python2 world (and at least one of
them contains a broader user base that I can't easily get to port
templates and such), I've started porting nevow to python3. What's
on https://github.com/msdemlei/nevow runs essentially all the unit
tests that weren't broken on python2 except for those related to
livepages.
I've not tried to port any python2 code to this now, though, since I
find the current situation where lots of byte strings leak
through from twisted.web quite unsatisfying. I've tried to formulate
something like a preliminary policy in
https://github.com/msdemlei/nevow/blob/master/doc/strings_and_bytes.rst,
but I'm deeply unhappy about most of this.
Ideally, I'd like to fairly exclusively expose actual strings to
nevow client code unless they actually deal with binary data (as in
static.File, and of course request.write needs to be able to deal
with this). This will probably mean isolating client code from
twisted.web.Requests a bit more.
So:
(1) Is anyone else still interested in this?
(2) Is anyone at all interested in the livepages stuff (I'm not, and
dropping it would certainly make porting and maintaining the package
a lot easier)?
(3) If I went ahead with this and actually tried to get a
python3-nevow into Debian (which I'd really, really like to see): How
is everyone's feeling about keeping the name nevow even if serious
functional changes (such as dropping livepages) were to come about?
[What I care about most is keeping the templating system including
the render_ and data_ methods].
Thanks,
Markus