Hi,
how can I convert the plugin code below to recent security level, to TLSv3, dhparams and extraCertChain ? Is OCSP stapling available in Twisted meanwhile?
Thanks, Axel
def makeService(self, options): """ makeService() returns an IService. twisted.internet.application.MultiService[1] is an IService that composes other services (it's an IServiceCollection). """ ipv4_server = endpoints.serverFromString( reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format( options['port'], endpoints.quoteStringArgument(options['cert_path']), endpoints.quoteStringArgument(options['key_path']), options['ipv4_address']))
ipv6_server = endpoints.serverFromString( reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format( options['port'], endpoints.quoteStringArgument(options['cert_path']), endpoints.quoteStringArgument(options['key_path']), endpoints.quoteStringArgument(options['ipv6_address'])))
ipv4 = internet.StreamServerEndpointService(ipv4_server, meteo_factory) ipv6 = internet.StreamServerEndpointService(ipv6_server, meteo_factory) root = MultiService() ipv4.setServiceParent(root) ipv6.setServiceParent(root) return root
serviceMaker = MeteoServiceMaker()
--- PGP-Key: CDE74120 ☀ computing @ chaos claudius
Hi Axel,
I don't know offhand how to produce a string that does what you want, but it will probably be much easier to instantiate the endpoint classes directly.
https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.S...
I think we're missing a SSL6ServerEndpoint, unfortunately.
Also unfortunately, SSL4ServerEndpoint is an old-style API (it uses reactor.listenSSL underneath). It takes an IOpenSSLContextFactory that can customize the OpenSSL context arbitrarily.
The new API, used by the ssl: client string syntax, is wrapClientTLS https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#wrapClientTLS. We don't have a wrapServerTLS yet, but it's definitely something we should have, if you're interested in adding it. You'd wrap that around TCP4ServerEndpoint and TCP6ServerEndpoint.
---Tom
On Thu, Mar 26, 2020, at 12:24 PM, Axel Rau wrote:
Hi,
how can I convert the plugin code below to recent security level, to TLSv3, dhparams and extraCertChain ? Is OCSP stapling available in Twisted meanwhile?
Thanks, Axel
def makeService(self, options): """ makeService() returns an IService. twisted.internet.application.MultiService[1] is an IService that composes other services (it's an IServiceCollection). """ ipv4_server = endpoints.serverFromString( reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format( options['port'], endpoints.quoteStringArgument(options['cert_path']), endpoints.quoteStringArgument(options['key_path']), options['ipv4_address']))
ipv6_server = endpoints.serverFromString( reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format( options['port'], endpoints.quoteStringArgument(options['cert_path']), endpoints.quoteStringArgument(options['key_path']), endpoints.quoteStringArgument(options['ipv6_address'])))
ipv4 = internet.StreamServerEndpointService(ipv4_server, meteo_factory) ipv6 = internet.StreamServerEndpointService(ipv6_server, meteo_factory) root = MultiService() ipv4.setServiceParent(root) ipv6.setServiceParent(root) return root
serviceMaker = MeteoServiceMaker()
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Twisted-web mailing list Twisted-web@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
*Attachments:*
- signature.asc
For what it's worth, the implementation of wrapServerTLS is fairly straightforward; you can see it here: https://github.com/glyph/txsni/blob/5014c141a7acef63e20fcf6c36fa07f0cd754ce1... https://github.com/glyph/txsni/blob/5014c141a7acef63e20fcf6c36fa07f0cd754ce1/txsni/tlsendpoint.py#L3-L12
We just need someone to write up some nice docstrings, update the docs, test cases, etc so we can integrate this into Twisted.
Once we've got that, we can quickly begin the process of eliminating SSL4ServerEndpoint. (We should not add an SSL6ServerEndpoint, as that would be as much or more work than adding wrapServerTLS, and a worse implementation strategy.)
-glyph
On Mar 28, 2020, at 4:47 PM, Tom Most twm@freecog.net wrote:
Hi Axel,
I don't know offhand how to produce a string that does what you want, but it will probably be much easier to instantiate the endpoint classes directly.
https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.S... https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.SSL4ServerEndpoint.html
I think we're missing a SSL6ServerEndpoint, unfortunately.
Also unfortunately, SSL4ServerEndpoint is an old-style API (it uses reactor.listenSSL underneath). It takes an IOpenSSLContextFactory that can customize the OpenSSL context arbitrarily.
The new API, used by the ssl: client string syntax, is wrapClientTLS https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#wrapClientTLS. We don't have a wrapServerTLS yet, but it's definitely something we should have, if you're interested in adding it. You'd wrap that around TCP4ServerEndpoint and TCP6ServerEndpoint.
---Tom
On Thu, Mar 26, 2020, at 12:24 PM, Axel Rau wrote:
Hi,
how can I convert the plugin code below to recent security level, to TLSv3, dhparams and extraCertChain ? Is OCSP stapling available in Twisted meanwhile?
Thanks, Axel
def makeService(self, options): """ makeService() returns an IService. twisted.internet.application.MultiService[1] is an IService that composes other services (it's an IServiceCollection). """ ipv4_server = endpoints.serverFromString( reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format( options['port'], endpoints.quoteStringArgument(options['cert_path']), endpoints.quoteStringArgument(options['key_path']), options['ipv4_address'])) ipv6_server = endpoints.serverFromString( reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format( options['port'], endpoints.quoteStringArgument(options['cert_path']), endpoints.quoteStringArgument(options['key_path']), endpoints.quoteStringArgument(options['ipv6_address']))) ipv4 = internet.StreamServerEndpointService(ipv4_server, meteo_factory) ipv6 = internet.StreamServerEndpointService(ipv6_server, meteo_factory) root = MultiService() ipv4.setServiceParent(root) ipv6.setServiceParent(root) return rootserviceMaker = MeteoServiceMaker()
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Twisted-web mailing list Twisted-web@twistedmatrix.com mailto:Twisted-web@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
Attachments: signature.asc
Twisted-web mailing list Twisted-web@twistedmatrix.com mailto:Twisted-web@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
-
Axel Rau -
Glyph -
Tom Most