OK, I think I've got it figured out, but I'm still not sure what to do about it.

In twisted.internet._sslverify.py, there's:

_defaultCurveName = u"prime256v1"

Then, later, this curve is set as self.ecCurve on OpenSSLCertificateOptions.  There appears to be no way to change this, but of course "prime256v1" is not the curve I want.

There was a PR recently merged - #928, which uses a PyOpenSSL curve instead of the proxy class which existed prior.  However, it still doesn't allow me to pass a curve name or nid - how can I specify a curve of my choice?

On Sat, Mar 3, 2018 at 8:14 PM, Justin Myles Holmes <twotonespirit@gmail.com> wrote:
Righto!

I notice that there's an issue on PyOpenSSL which appears to address this:

https://github.com/pyca/pyopenssl/pull/636

However, it's not clear that this actually moves the issue forward, as it only provides for getting a PKey from a cryptography EC key, not for actually using it for TLS.

One interesting tidbit I've noticed is that txsni does appear to support TLS with ciphers that use SECP256R1 (also called "NIST P-256" - a curve of questionable parentage), but not SECP256K1 (a curve used by several prominent blockchain projects).

I'm not entirely sure where to turn next.



On Sat, Mar 3, 2018 at 7:06 PM, Glyph <glyph@twistedmatrix.com> wrote:


On Mar 3, 2018, at 2:38 PM, Justin Myles Holmes <twotonespirit@gmail.com> wrote:

I'm trying to bend a little bit of custom TLS - one possible use case for me is a HendrixDeploy object which uses an ethereum keypair to self-sign a certificate.

So I'm wondering: is it currently possible to use an ECC keypair for TLS with Twisted?

Here's what I've discovered:

twisted.internet.sssl.ContextFactory has a method, use_privatekey().  This thing wants an OpenSSL.crypto.PKey object.  And, lo and behold, PKey offers a facility, from_cryptography_key(), which attempts to use a key from cryptography.io, from whence I'm generating keys anyway.  However, it expects an RSA or DSA key, not an EC or ECDSA key.

Glyph suggested that, instead of trying to handle PKeys myself, I might try loading PEM files with txsni or the like.

I can actually get txsni to work with my cert/keypair, but I don't seem to be able to get a client to connect.  For example, Firefox tells me "SSL_ERROR_NO_CYPHER_OVERLAP".

I tried the same things with SSL4ServerEndpoint, and I get exactly the same thing - my protocol's dataReceived method is never run, no output appears in the console, but the client gets this same error.

I notice that there's an issue on PyOpenSSL which appears to address this:

Looks like your message was truncated before getting to the link :-).

-glyph

_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python




--



--
Justin Myles Holmes
justinholmes.com
thisisthebus.com
github.com/jMyles/