[Twisted-Python] SNI callback with support for deferreds
![](https://secure.gravatar.com/avatar/0340081d861ced6802ff4861313bbc55.jpg?s=120&d=mm&r=g)
Hello, A couple of days ago I asked on Stack Overflow about returning a deferred from an SNI callback and have pyOpenSSL wait for it to fire before continuing handling the request. Thanks to some pointers by Gyph I've found a solution ("workaround") for my problem, involving a fake TLSMemoryBIOProtocol to handle the client hello until the SNI is received, firing the SNI callback, waiting for it to callback and then re-feeding the resulting context to the real TLSMemoryBIOProtocol. The implementation of this solution is available at https://gist.github.com/GaretJax/124c523a62ba48c9eec1, and I'd like to contribute it back to Twisted, however, it has no unit tests and needs some design decisions/validation. I've opened a ticket to track it at https://twistedmatrix.com/trac/ticket/8065. Real-life impediments permitting, I'm willing to work on it and get the feature supported in Twisted core. Anyone willing to help me getting a proper patch? Best, Jonathan P.S.: A big shout-out to Twisted for its excellent TLS support out of the box. We got a straight A rating out of the box on ssl labs!
![](https://secure.gravatar.com/avatar/e1554622707bedd9202884900430b838.jpg?s=120&d=mm&r=g)
Really glad to hear that this worked.
The implementation of this solution is available at https://gist.github.com/GaretJax/124c523a62ba48c9eec1 <https://gist.github.com/GaretJax/124c523a62ba48c9eec1>, and I'd like to contribute it back to Twisted, however, it has no unit tests and needs some design decisions/validation.
It also needs a serious overhaul on its indentation - something messed up happened to that code :).
I've opened a ticket to track it at https://twistedmatrix.com/trac/ticket/8065 <https://twistedmatrix.com/trac/ticket/8065>. Real-life impediments permitting, I'm willing to work on it and get the feature supported in Twisted core.
Thanks! We don't really support an SNI callback at all (that's purely in the pyOpenSSL layer) so this will be very good to have.
Anyone willing to help me getting a proper patch?
What help do you need? I will be happy to do reviews when it's readye. :)
P.S.: A big shout-out to Twisted for its excellent TLS support out of the box. We got a straight A rating out of the box on ssl labs!
really glad to hear this! I do plan to quote you on that :) -glyph
![](https://secure.gravatar.com/avatar/0340081d861ced6802ff4861313bbc55.jpg?s=120&d=mm&r=g)
On Mon, Oct 26, 2015 at 3:37 AM, Glyph Lefkowitz <glyph@twistedmatrix.com> wrote:
I don't get it, I see it all as PEP8 compliant (will need to adapt spacing to Twisted's code standards, but that should be all).
Anyone willing to help me getting a proper patch?
What help do you need? I will be happy to do reviews when it's readye. :)
Definitely a review. Even before that I would like to know if the approach as I implemented is ok design wise or if I it needs adaptations. Also, in which module should the code live? And then there is this: https://gist.github.com/GaretJax/124c523a62ba48c9eec1#file-usage-py-L13-L19 (maybe testing will help finding out the exact cause of those symptoms). P.S.: A big shout-out to Twisted for its excellent TLS support out of the
box. We got a straight A rating out of the box on ssl labs!
really glad to hear this! I do plan to quote you on that :)
Feel free to! Maybe remove the "out of the box" repetition. :D We will use it as edge load balancer and SSL terminator for http://www.aldryn.com/. Currently we're using Hipache, but it does not support SNI at all and is written in JS. :-( We should deploy the new Twisted based implementation during the course of this week. Best, Jonathan
![](https://secure.gravatar.com/avatar/e1554622707bedd9202884900430b838.jpg?s=120&d=mm&r=g)
Really glad to hear that this worked.
The implementation of this solution is available at https://gist.github.com/GaretJax/124c523a62ba48c9eec1 <https://gist.github.com/GaretJax/124c523a62ba48c9eec1>, and I'd like to contribute it back to Twisted, however, it has no unit tests and needs some design decisions/validation.
It also needs a serious overhaul on its indentation - something messed up happened to that code :).
I've opened a ticket to track it at https://twistedmatrix.com/trac/ticket/8065 <https://twistedmatrix.com/trac/ticket/8065>. Real-life impediments permitting, I'm willing to work on it and get the feature supported in Twisted core.
Thanks! We don't really support an SNI callback at all (that's purely in the pyOpenSSL layer) so this will be very good to have.
Anyone willing to help me getting a proper patch?
What help do you need? I will be happy to do reviews when it's readye. :)
P.S.: A big shout-out to Twisted for its excellent TLS support out of the box. We got a straight A rating out of the box on ssl labs!
really glad to hear this! I do plan to quote you on that :) -glyph
![](https://secure.gravatar.com/avatar/0340081d861ced6802ff4861313bbc55.jpg?s=120&d=mm&r=g)
On Mon, Oct 26, 2015 at 3:37 AM, Glyph Lefkowitz <glyph@twistedmatrix.com> wrote:
I don't get it, I see it all as PEP8 compliant (will need to adapt spacing to Twisted's code standards, but that should be all).
Anyone willing to help me getting a proper patch?
What help do you need? I will be happy to do reviews when it's readye. :)
Definitely a review. Even before that I would like to know if the approach as I implemented is ok design wise or if I it needs adaptations. Also, in which module should the code live? And then there is this: https://gist.github.com/GaretJax/124c523a62ba48c9eec1#file-usage-py-L13-L19 (maybe testing will help finding out the exact cause of those symptoms). P.S.: A big shout-out to Twisted for its excellent TLS support out of the
box. We got a straight A rating out of the box on ssl labs!
really glad to hear this! I do plan to quote you on that :)
Feel free to! Maybe remove the "out of the box" repetition. :D We will use it as edge load balancer and SSL terminator for http://www.aldryn.com/. Currently we're using Hipache, but it does not support SNI at all and is written in JS. :-( We should deploy the new Twisted based implementation during the course of this week. Best, Jonathan
participants (2)
-
Glyph Lefkowitz
-
Jonathan Stoppani