[Twisted-Python] SNI callback with support for deferreds
Hello, A couple of days ago I asked on Stack Overflow about returning a deferred from an SNI callback and have pyOpenSSL wait for it to fire before continuing handling the request. Thanks to some pointers by Gyph I've found a solution ("workaround") for my problem, involving a fake TLSMemoryBIOProtocol to handle the client hello until the SNI is received, firing the SNI callback, waiting for it to callback and then re-feeding the resulting context to the real TLSMemoryBIOProtocol. The implementation of this solution is available at https://gist.github.com/GaretJax/124c523a62ba48c9eec1, and I'd like to contribute it back to Twisted, however, it has no unit tests and needs some design decisions/validation. I've opened a ticket to track it at https://twistedmatrix.com/trac/ticket/8065. Real-life impediments permitting, I'm willing to work on it and get the feature supported in Twisted core. Anyone willing to help me getting a proper patch? Best, Jonathan P.S.: A big shout-out to Twisted for its excellent TLS support out of the box. We got a straight A rating out of the box on ssl labs!
On Oct 25, 2015, at 4:54 AM, Jonathan Stoppani <jonathan@stoppani.name> wrote:
Hello,
A couple of days ago I asked on Stack Overflow about returning a deferred from an SNI callback and have pyOpenSSL wait for it to fire before continuing handling the request.
Thanks to some pointers by Gyph I've found a solution ("workaround") for my problem, involving a fake TLSMemoryBIOProtocol to handle the client hello until the SNI is received, firing the SNI callback, waiting for it to callback and then re-feeding the resulting context to the real TLSMemoryBIOProtocol.
Really glad to hear that this worked.
The implementation of this solution is available at https://gist.github.com/GaretJax/124c523a62ba48c9eec1 <https://gist.github.com/GaretJax/124c523a62ba48c9eec1>, and I'd like to contribute it back to Twisted, however, it has no unit tests and needs some design decisions/validation.
It also needs a serious overhaul on its indentation - something messed up happened to that code :).
I've opened a ticket to track it at https://twistedmatrix.com/trac/ticket/8065 <https://twistedmatrix.com/trac/ticket/8065>. Real-life impediments permitting, I'm willing to work on it and get the feature supported in Twisted core.
Thanks! We don't really support an SNI callback at all (that's purely in the pyOpenSSL layer) so this will be very good to have.
Anyone willing to help me getting a proper patch?
What help do you need? I will be happy to do reviews when it's readye. :)
P.S.: A big shout-out to Twisted for its excellent TLS support out of the box. We got a straight A rating out of the box on ssl labs!
really glad to hear this! I do plan to quote you on that :) -glyph
On Mon, Oct 26, 2015 at 3:37 AM, Glyph Lefkowitz <glyph@twistedmatrix.com> wrote:
The implementation of this solution is available at https://gist.github.com/GaretJax/124c523a62ba48c9eec1, and I'd like to contribute it back to Twisted, however, it has no unit tests and needs some design decisions/validation.
It also needs a serious overhaul on its indentation - something messed up happened to that code :).
I don't get it, I see it all as PEP8 compliant (will need to adapt spacing to Twisted's code standards, but that should be all).
Anyone willing to help me getting a proper patch?
What help do you need? I will be happy to do reviews when it's readye. :)
Definitely a review. Even before that I would like to know if the approach as I implemented is ok design wise or if I it needs adaptations. Also, in which module should the code live? And then there is this: https://gist.github.com/GaretJax/124c523a62ba48c9eec1#file-usage-py-L13-L19 (maybe testing will help finding out the exact cause of those symptoms). P.S.: A big shout-out to Twisted for its excellent TLS support out of the
box. We got a straight A rating out of the box on ssl labs!
really glad to hear this! I do plan to quote you on that :)
Feel free to! Maybe remove the "out of the box" repetition. :D We will use it as edge load balancer and SSL terminator for http://www.aldryn.com/. Currently we're using Hipache, but it does not support SNI at all and is written in JS. :-( We should deploy the new Twisted based implementation during the course of this week. Best, Jonathan
On Oct 26, 2015, at 5:37 AM, Jonathan Stoppani <jonathan@stoppani.name> wrote:
It also needs a serious overhaul on its indentation - something messed up happened to that code :).
I don't get it, I see it all as PEP8 compliant (will need to adapt spacing to Twisted's code standards, but that should be all).
Uh... nevermind. Must have been some Github stylesheet failing to load for me or something; the code looks fine now.
participants (2)
-
Glyph Lefkowitz -
Jonathan Stoppani