>>You can't use connectSSL in combination with UNIX sockets

I'm working on a rewrite of this system which will use endpoints once complete.  So far I've got basic server and client endpoints running over TLS through our reverse proxy.  Its working as expected on a given port, but I'd rather have the server listen on a unix socket.  Based on your comment it sounds possible for a client to connect to a socket over TLS, but is it possible for a server to listen on one over TLS?  I've tried several different approaches and can't seem to find a way.  

I tried wrapping a UnixServerEndpoint with my CertificateOptions, then tried to find a way to pass a socket path into a SSL4ServerEndpoint
Can't seem to find a corresponding wraperServerTLS to the client function Tim posted.

Thanks for your help, and thanks for writing Twisted.  :)


On Sat, Aug 18, 2018 at 2:12 PM Glyph <glyph@twistedmatrix.com> wrote:
On Aug 17, 2018, at 9:24 AM, Sean DiZazzo <sean.dizazzo@gmail.com> wrote:

Starting to look over the docs and I realize I might have just been able to incorporate the `optionsForClientTLS` into what I was already using. 

I was using `reactor.connectSSL()` with a default ``ssl.ClientContextFactory()` so I think I can make my own sslClientContextFactory with `optionsForClientTLS(hostname=host)` and pass that in to connectSSL instead.

It would look something like this:

reactor.connectSSL(hostname, port, MyProtocolClientFactory(), optionsForClientTLS(hostname=hostname))

I'll give it a try and play around with it.  If it doesn't work, I'll head back over to the endpoint examples.

This should indeed work for now, but adopting endpoints is a more forward-looking approach; "connectSSL" is a much less flexible API, and will hopefully someday be removed.

For example:

  1. You can't use connectSSL in combination with UNIX sockets
  2. When we (one day) have a client version of the PROXY endpoint, you won't be able to use that with connectSSL
  3. You can't do TLS-in-TLS tunneling with connectSSL for backhaul connections

It's just generally harder to switch to other secure transports if you're not using the endpoint APIs.

Thanks for using Twisted,

Twisted-Python mailing list