All we have to do is have some kind of per connection certificate store or flag. If acme is in the first packet and the special certificate exists, send it. Otherwise send the normal certificate, for a very short window of possible brokenness. Letsencrypt may or may not require correct alpn negotiation. Should be simple. 

I'm happy running the acme client separately and listing my domain instead of doing it all on demand inside twisted.

On Sat, Mar 23, 2019, 23:59 Glyph <> wrote:

> On Mar 23, 2019, at 4:06 PM, Daniel Holth <> wrote:
> class _ConnectionProxy(object):
>    def bio_write(self, buf):
>        if ACME_TLS_1 in buf:
>            self.acme_tls_1 = True
>        self.bio_write = self._obj.bio_write
>        return self._obj.bio_write(buf)
> Now we can choose the acme certificate store in the sni callback and
> make letsencrypt happy!

1. Gross
2. Hooray!


Twisted-Python mailing list