Hello,
The other day, we had a Scrapy user report an issue connecting to
https://www.skelbiu.lt/ with OpenSSL 1.1 [1]
To not mix scrapy's things with Twisted Web, I used this (adapted from
official docs):
#---------------
from __future__ import print_function
from twisted.internet import reactor
from twisted.web.client import Agent
from twisted.web.http_headers import Headers
agent = Agent(reactor)
d = agent.request(
'GET',
'https://www.skelbiu.lt/',
Headers({'User-Agent': ['Twisted Web Client Example']}),
None)
def cbResponse(ignored):
print('Response received')
d.addCallback(cbResponse)
def cbShutdown(ignored):
print(ignored)
reactor.stop()
d.addBoth(cbShutdown)
reactor.run()
#---------------
And I did get a Handshake failure too:
$ python twistedtest.py
[Failure instance: Traceback (failure with no frames): <class
'twisted.web._newclient.ResponseNeverReceived'>:
[<twisted.python.failure.Failure OpenSSL.SSL.Error: [('SSL routines',
'ssl3_read_bytes', 'sslv3 alert handshake failure')]>]
]
It seems this happens (at least) with OpenSSL 1.1.0e (currently in Debian 9
sid [2])
It does not happen (for me) with OpenSSL 1.0.2g for example.
I dug into this this afternoon and narrowed it down to the use of
_defaultCurveName = u"prime256v1"
in twisted.internet._sslverify.py
I tried patching the current trunk with _defaultCurveName = u"secp384r1"
(the EC that ssllabs.com reports)
and it did work.
Looking at ClientHello messages for openssl 1.0.2 and 1.1 [4]:
with 1.1, only 1 Elliptic Curve is sent by Twisted Web Agent, secp256r1
openssl v1.1 client uses 4 by default: ecdh_x25519, secp256r1, secp521r1,
secp384r1
I was wondering what is the proper way to configure requested Elliptic
Curves.
I haven't seen any interface for this, contrary to ciphers with
acceptableCiphers.
Thank you for your input.
Best,
Paul.
[1] https://github.com/scrapy/scrapy/issues/2717
[2] https://packages.debian.org/fr/source/sid/openssl
[3]
https://github.com/twisted/twisted/blob/78679af87e349721a167f35bef239e192e9…
[4] https://github.com/scrapy/scrapy/issues/2717#issuecomment-297464034
Hi,
This is a quick message to let you know that the current mailing list
service will migrate
from the Twisted own hosted services to the mailing list service
provided by the Python organization.
The migration is scheduled to start on the 5th of Augusts, 2021
17:00 UTC time (10:00am PDT / 18:00 BST)
The following email address will no longer be available:
twisted-web(a)twistedmatrix.com
The new address will be:
twisted-web(a)python.org
The new archive will be hosted at https://mail.python.org/archives/
All existing subscribers will be migrated.
If you only interact with the mailing list using your email
you only need to update your existing filters
and update your email contact address for the list.
The migration is expected to take about 3 hours.
After the migration, Glyph plans to implemea an email redirection,
so even if you will send emails to the old address we should still receive them.
Subject to availability :)
We also plan to redirect the old mailing list pages and archives to
the new pages.
This will also happen after the migration.
Have a nice day... and talk to you soon on the new mailing list.
PS: while we do the migration you can still get in touch using
IRC on Libera #twisted channel
Matrix/Gitter at https://gitter.im/twisted/twisted
--
Adi Roiban