I want a line-oriented protocol to listen on an SSL port, and I want client certificate authentication for this.
How do I specify this:
strports.service('ssl:4443:privateKey=key.pem:certKey=cert.pem:clientCert=must')
...or similar?
On Wed, 30 Aug 2006 17:12:02 +0100, Phil Mayers p.mayers@imperial.ac.uk wrote:
I want a line-oriented protocol to listen on an SSL port, and I want client certificate authentication for this.
How do I specify this:
strports.service('ssl:4443:privateKey=key.pem:certKey=cert.pem:clientCert=must')
...or similar?
No: use strports when you want to present strings of this form as a user-interface element, not otherwise.
To programatically configure an SSL server which requires a client certificate use something like this:
from twisted.internet import ssl, reactor reactor.listenSSL(4443, f, ssl.CertificateOptions())
Unlike the older ContextFactory classes, CertificateOptions has somewhat more modern requirements not dictated by HTTP. Specifically, the method is TLSv1 and certificates are required.
Jean-Paul
Jean-Paul Calderone wrote:
No: use strports when you want to present strings of this form as a user-interface element, not otherwise.
Ok, but interesting. Why not otherwise? Do they have something bad about them?
To programatically configure an SSL server which requires a client certificate use something like this:
from twisted.internet import ssl, reactor reactor.listenSSL(4443, f, ssl.CertificateOptions())
This is in a .tac file but I get the idea.
Unlike the older ContextFactory classes, CertificateOptions has somewhat more modern requirements not dictated by HTTP. Specifically, the method is TLSv1 and certificates are required.
import twisted import twisted.internet.ssl ssl.CertificateOptions()
Traceback (most recent call last): File "<stdin>", line 1, in ? NameError: name 'ssl' is not defined
twisted.__version__
'2.4.0'
When was that added?
The only reason I was using strports was that the ContextFactory thing was a royal pain to do even the most basic SSL setup (like e.g. a server cert and key...). I'd be glad to ditch it.
On Aug 31, 2006, at 4:32 AM, Phil Mayers wrote:
Unlike the older ContextFactory classes, CertificateOptions has somewhat more modern requirements not dictated by HTTP. Specifically, the method is TLSv1 and certificates are required.
import twisted import twisted.internet.ssl ssl.CertificateOptions()
Traceback (most recent call last): File "<stdin>", line 1, in ? NameError: name 'ssl' is not defined
twisted.__version__
'2.4.0'
When was that added?
Your import statement is not consistent with your usage. You probably wanted: from twisted.internet import ssl
Glenn Hochberg wrote:
import twisted.internet.ssl ssl.CertificateOptions()
Traceback (most recent call last): File "<stdin>", line 1, in ? NameError: name 'ssl' is not defined
Your import statement is not consistent with your usage. You probably wanted: from twisted.internet import ssl
Sorry, ignore the previous reply, I see what you're getting at now. However, CertificateOptions still seems to be newer than 2.4.0:
import twisted.internet.ssl twisted.internet.ssl.CertificateOptions()
Traceback (most recent call last): File "<stdin>", line 1, in ? AttributeError: 'module' object has no attribute 'CertificateOptions'
dir(twisted.internet.ssl)
['Client', 'ClientContextFactory', 'Connector', 'ContextFactory', 'DefaultOpenSSLContextFactory', 'Port', 'SSL', 'Server', '__all__', '__builtins__', '__doc__', '__file__', '__name__', 'address', 'base', 'components', 'implementedBy', 'implements', 'implementsOnly', 'interfaces', 'log', 'socket', 'supported', 'tcp']
twisted.__version__
'2.4.0'
SVN logs look like it was added about a month after the 2.4.0 release?
On Fri, 01 Sep 2006 15:57:12 +0100, Phil Mayers p.mayers@imperial.ac.uk wrote:
Sorry, ignore the previous reply, I see what you're getting at now. However, CertificateOptions still seems to be newer than 2.4.0:
Hmm, sorry. I thought it made it into 2.4.0, but you're right, it didn't.
You can accomplish the same thing without CertificateOptions, it's just a lot less fun. Take a look at what OpenSSL APIs it is using:
http://twistedmatrix.com/trac/browser/trunk/twisted/internet/_sslverify.py#L...
The actual object you need to control the behavior of OpenSSL comes from OpenSSL itself. CertificateOptions is just a bit easier to use.
Hopefully Twisted 2.5 will be out before much longer...
Jean-Paul
-
Glenn Hochberg -
Jean-Paul Calderone -
Phil Mayers