Super glad you got this working!

However, what L. Daniel Burr suggested is correct - whether there's an existing ticket or not, the string endpoint should support all of these features.

(However, using pem is fine, too.)

-g

On Aug 31, 2020, at 1:16 PM, John Aherne <johnaherne@rocs.co.uk> wrote:

Thanks for looking all this up.

I'd already decided to drop the endpoint server from string.

So I'm using Hynek Schlaweck PEM package to build the certificate options.

That seems to be working. Anyway I'm getting an A from Qualys at the moment having reset the _defaultMinimumTLSVersion back to its default of tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2

Thanks for the pointers.

John



On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielburr@me.com> wrote:
Hi John,

I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.

I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...".

Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments.  That might be the right thing to implement.

Hope this helps,

L. Daniel Burr

On Aug 31, 2020, at 12:02 PM, John Aherne <johnaherne@rocs.co.uk> wrote:

Thanks. That was quick.

Just wondering how I can add that to my endpoint_description create serverfromstring.

Or will I have to drop that.

Let me  take a look.

Cheers

John

On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielburr@me.com> wrote:
Hi John,

I think you want https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html, specifically, you want to pass the "raiseMinimumTo" parameter,

Hope this helps,

L. Daniel Burr

On Aug 31, 2020, at 10:47 AM, John Aherne <johnaherne@rocs.co.uk> wrote:

 I'm using twisted 20.3 and python3.6.8 and Windows 10  

I'm using endpoint_description with a tac file to start up a server.

But I need to disable tls 1.0 and 1.1. 

I was hoping to find a parameter I could pass in to make the system only recognise 1.2 and 1.3. But could not find anything that would do that. I thought sslmethod would be what I wanted but that is limited to :

Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS complains and downgrades the rating to B
In the end I found _defaultMinimumTLSVersion in _sslverify.py.

I set this to TLSVersion.TLSv1_2 and that seemed to do the trick.

But I don't think I should be doing that. I think I've missed some obvious place where I can pass in a value to change this.

Anyone  know where I should be looking.

Thanks for any info

--
John Aherne
020 7223 7567
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python


--
John Aherne
020 7223 7567
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python


--
John Aherne
020 7223 7567
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python