DefaultOpenSSLContextFactory should have been deprecated a long time ago. It’s insecure, and in particular does not set a cipher string, so it uses DEFAULT. That will have all kinds of messed up priorities. For that reason, you should adjust your code to use OpenSSLCertificateOptions or, even better, use the TLS endpoint directly.The TL;DR is: yes, it seems that DefaultOpenSSLContextFactory produces a context that is genuinely unacceptable for HTTP/2.
Indeed it all works fine with endpoints. Thanks! I was not aware that DefaultOpenSSLContextFactory is deprecated. There is no warning about it anywhere. It seems that is is very widely used by users, I just did some github search now and found around 5k occurences of people using it: https://github.com/search?utf8=%E2%9C%93&q=defaultopensslcontextfactory&type=Code&ref=searchresults If you google for "ssl in twisted" you will also find articles that recommend it. Since so many people use it, maybe it could be updated to be more secure? If it does not make sense to update it then perhaps it would be good to deprecate it so that it does not confuse users? 2016-07-12 9:56 GMT+02:00 Tristan Seligmann <mithrandi@mithrandi.net>:
On Tue, 12 Jul 2016 at 09:43 Cory Benfield <cory@lukasa.co.uk> wrote:
For that reason, you should adjust your code to use OpenSSLCertificateOptions or, even better, use the TLS endpoint directly.
The exported name of this class is actually just "CertificateOptions", fwiw.
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python