On 12 Jul 2016, at 17:42, Paweł Miech email@example.com wrote:
Agreed. I’m planning to begin the deprecation process, though it will take a little while as we need to remove all uses of it from within the Twisted codebase itself, as well as from the documentation. That turns out to be a bigger task than expected!
One final point that I glossed over earlier
To be clear, I was not responding to your specific needs but discussing Glyph’s wider point about alerting when bad configuration is present.
When using Twisted endpoints (e.g. serverFromString) the problem with bad openssl configuration is not bad. If OS does not support ALPN (OpenSSL versions below 1.0.2) so in vast majority of Linux systems currently in use Chrome connection simply falls back to HTTP 1.1 (I tested this on Ubuntu 14.04), This means there is no error and content is served, so it's some sort of graceful degradation. This behavior is identical to nginx. I'm not sure if Twisted can and should do something about this. Maybe it can print some warning or maybe it can just let users know in documentation that HTTP2 support via ALPN (which is required in Chrome) requires Openssl 1.0.2? Adding warnings to code might require some extra development but it does not look that difficult. If you think about this, you probably dont need to check ciphers available in system, you can probably only check OpenSSL version available and check if client attempts to use ALPN.
We can actually do better than that.
The way the Twisted APIs are constructed, it knows if it’s got NPN, ALPN, neither, or both. So Twisted is capable of warning in a situation where it has protocols to advertise/negotiate, but no mechanism with which to do it. Unfortunately, I’m not sure of a way of doing it that isn’t intrusive: users opt in to HTTP/2 only by having the HTTP/2 dependencies installed, which they may have for other reasons (they’re common code used by other tools). That means that you could have a situation where you have the HTTP/2 dependencies installed, install Twisted, and then get spammed with warnings because you have older OpenSSL’s.
I’m definitely open to it, but I’m not sure that the user experience is good. If anyone has suggestions of how to get a better UX, I’m open to it.