On Oct 26, 2017, at 6:35 AM, Enoch W. <ixew@hotmail.com> wrote:

Thanks Jason,

With a more specific error message raised by github latest code [thanks!] the problem became clear.
I suggest to change the documentation of 'optionsForClientTLS' -

ctx = ssl.optionsForClientTLS(hostName, trustRoot=root, clientCertificate=mycert)

ctx = ssl.optionsForClientTLS(commonName, trustRoot=root, clientCertificate=mycert)

That is, what this ctx (the contextFactory) really expects is the server's certificate commonName which often is, but not in my case, the server's hostName.

Interestingly, Python's standard ssl package does not verify this field.

It sounds like you somehow installed Twisted without the "service_identity" module; it only verifies commonName if it has no other choice.

When you install Twisted, be sure to install the `tls` extra: pip install twisted[tls].