On Mar 3, 2018, at 2:38 PM, Justin Myles Holmes <twotonespirit@gmail.com> wrote:

I'm trying to bend a little bit of custom TLS - one possible use case for me is a HendrixDeploy object which uses an ethereum keypair to self-sign a certificate.

So I'm wondering: is it currently possible to use an ECC keypair for TLS with Twisted?

Here's what I've discovered:

twisted.internet.sssl.ContextFactory has a method, use_privatekey().  This thing wants an OpenSSL.crypto.PKey object.  And, lo and behold, PKey offers a facility, from_cryptography_key(), which attempts to use a key from cryptography.io, from whence I'm generating keys anyway.  However, it expects an RSA or DSA key, not an EC or ECDSA key.

Glyph suggested that, instead of trying to handle PKeys myself, I might try loading PEM files with txsni or the like.

I can actually get txsni to work with my cert/keypair, but I don't seem to be able to get a client to connect.  For example, Firefox tells me "SSL_ERROR_NO_CYPHER_OVERLAP".

I tried the same things with SSL4ServerEndpoint, and I get exactly the same thing - my protocol's dataReceived method is never run, no output appears in the console, but the client gets this same error.

I notice that there's an issue on PyOpenSSL which appears to address this:

Looks like your message was truncated before getting to the link :-).

-glyph