All we have to do is have some kind of per connection certificate store or flag. If acme is in the first packet and the special certificate exists, send it. Otherwise send the normal certificate, for a very short window of possible brokenness. Letsencrypt may or may not require correct alpn negotiation. Should be simple.
I'm happy running the acme client separately and listing my domain instead of doing it all on demand inside twisted.
On Sat, Mar 23, 2019, 23:59 Glyph firstname.lastname@example.org wrote:
On Mar 23, 2019, at 4:06 PM, Daniel Holth email@example.com wrote:
HOLY REGEX BATMAN
def bio_write(self, buf): if ACME_TLS_1 in buf: self.acme_tls_1 = True self.bio_write = self._obj.bio_write return self._obj.bio_write(buf) Now we can choose the acme certificate store in the sni callback and make letsencrypt happy!
Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python