[Twisted-Python] strports.service, ssl and forcing client certs
![](https://secure.gravatar.com/avatar/426d6dbf6554a9b3fca1fd04e6b75f38.jpg?s=120&d=mm&r=g)
I want a line-oriented protocol to listen on an SSL port, and I want client certificate authentication for this. How do I specify this: strports.service('ssl:4443:privateKey=key.pem:certKey=cert.pem:clientCert=must') ...or similar?
![](https://secure.gravatar.com/avatar/7ed9784cbb1ba1ef75454034b3a8e6a1.jpg?s=120&d=mm&r=g)
On Wed, 30 Aug 2006 17:12:02 +0100, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
No: use strports when you want to present strings of this form as a user-interface element, not otherwise. To programatically configure an SSL server which requires a client certificate use something like this: from twisted.internet import ssl, reactor reactor.listenSSL(4443, f, ssl.CertificateOptions()) Unlike the older ContextFactory classes, CertificateOptions has somewhat more modern requirements not dictated by HTTP. Specifically, the method is TLSv1 and certificates are required. Jean-Paul
![](https://secure.gravatar.com/avatar/426d6dbf6554a9b3fca1fd04e6b75f38.jpg?s=120&d=mm&r=g)
Jean-Paul Calderone wrote:
No: use strports when you want to present strings of this form as a user-interface element, not otherwise.
Ok, but interesting. Why not otherwise? Do they have something bad about them?
This is in a .tac file but I get the idea.
When was that added? The only reason I was using strports was that the ContextFactory thing was a royal pain to do even the most basic SSL setup (like e.g. a server cert and key...). I'd be glad to ditch it.
![](https://secure.gravatar.com/avatar/7ed9784cbb1ba1ef75454034b3a8e6a1.jpg?s=120&d=mm&r=g)
On Fri, 01 Sep 2006 15:57:12 +0100, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Sorry, ignore the previous reply, I see what you're getting at now. However, CertificateOptions still seems to be newer than 2.4.0:
Hmm, sorry. I thought it made it into 2.4.0, but you're right, it didn't. You can accomplish the same thing without CertificateOptions, it's just a lot less fun. Take a look at what OpenSSL APIs it is using: http://twistedmatrix.com/trac/browser/trunk/twisted/internet/_sslverify.py#L... The actual object you need to control the behavior of OpenSSL comes from OpenSSL itself. CertificateOptions is just a bit easier to use. Hopefully Twisted 2.5 will be out before much longer... Jean-Paul
![](https://secure.gravatar.com/avatar/7ed9784cbb1ba1ef75454034b3a8e6a1.jpg?s=120&d=mm&r=g)
On Wed, 30 Aug 2006 17:12:02 +0100, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
No: use strports when you want to present strings of this form as a user-interface element, not otherwise. To programatically configure an SSL server which requires a client certificate use something like this: from twisted.internet import ssl, reactor reactor.listenSSL(4443, f, ssl.CertificateOptions()) Unlike the older ContextFactory classes, CertificateOptions has somewhat more modern requirements not dictated by HTTP. Specifically, the method is TLSv1 and certificates are required. Jean-Paul
![](https://secure.gravatar.com/avatar/426d6dbf6554a9b3fca1fd04e6b75f38.jpg?s=120&d=mm&r=g)
Jean-Paul Calderone wrote:
No: use strports when you want to present strings of this form as a user-interface element, not otherwise.
Ok, but interesting. Why not otherwise? Do they have something bad about them?
This is in a .tac file but I get the idea.
When was that added? The only reason I was using strports was that the ContextFactory thing was a royal pain to do even the most basic SSL setup (like e.g. a server cert and key...). I'd be glad to ditch it.
![](https://secure.gravatar.com/avatar/7ed9784cbb1ba1ef75454034b3a8e6a1.jpg?s=120&d=mm&r=g)
On Fri, 01 Sep 2006 15:57:12 +0100, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Sorry, ignore the previous reply, I see what you're getting at now. However, CertificateOptions still seems to be newer than 2.4.0:
Hmm, sorry. I thought it made it into 2.4.0, but you're right, it didn't. You can accomplish the same thing without CertificateOptions, it's just a lot less fun. Take a look at what OpenSSL APIs it is using: http://twistedmatrix.com/trac/browser/trunk/twisted/internet/_sslverify.py#L... The actual object you need to control the behavior of OpenSSL comes from OpenSSL itself. CertificateOptions is just a bit easier to use. Hopefully Twisted 2.5 will be out before much longer... Jean-Paul
participants (3)
-
Glenn Hochberg
-
Jean-Paul Calderone
-
Phil Mayers