[Twisted-Python] Twisted 14.0.0pre3 Announcement
Hi everyone, here’s a new Twisted 14.0 prerelease for you! Tarballs for this prerelease can be found at <http://twistedmatrix.com/Releases/pre/14.0.0pre3>, with the changelog at <http://twistedmatrix.com/Releases/pre/14.0.0pre3/NEWS.txt>. Changes from the previous prerelease include: - Making Twisted Agent do HTTPS hostname verification. For more information and a full list of changes, check the NEWS.txt file. Please download the tarballs and test them with your applications, so we can make sure we’re all ready for release! -hawkowl
Hello everyone, due to a silly mistake on my part, I had to merge in a dependency of the ticket I merged in last prerelease. Tarballs for this prerelease can be found at <http://twistedmatrix.com/Releases/pre/14.0.0pre4>, with the changelog at <http://twistedmatrix.com/Releases/pre/14.0.0pre4/NEWS.txt>. Changes from the previous prerelease include: - Making Twisted Agent do HTTPS hostname verification. (Properly this time) For more information and a full list of changes, check the NEWS.txt file. Please download the tarballs and test them with your applications, so we can make sure we’re all ready for release! -hawkowl
Hi everyone, just a few changed bytes to fix some news file entries. Tarballs for this prerelease can be found at <http://twistedmatrix.com/Releases/pre/14.0.0pre5>, with the changelog at <http://twistedmatrix.com/Releases/pre/14.0.0pre5/NEWS.txt>. Changes from the previous prerelease include: - Newsfile fixes. For more information and a full list of changes, check the NEWS.txt file. Please download the tarballs and test them with your applications, so we can make sure we’re all ready for release! -hawkowl
Sorry for the delay, I've tested that treq works with pre5 in the following scenarios. Python 2.7, no pyopenssl Python 2.7, pyopenssl==0.14 PyPy 2.2.1, no pyopenssl PyPy 2.2.1, pyopenssl==0.14 This is in addition to the testing that treq regularly receives on Twisted Trunk, which has a build currently running: https://travis-ci.org/dreid/treq/builds/23955777 -David On Sat, Apr 26, 2014 at 1:35 AM, HawkOwl <hawkowl@atleastfornow.net> wrote:
On 29 Apr 2014, at 12:16, HawkOwl wrote:
If anyone else has some applications they run, please try out pre5!
Look at all the ECDHEHEHE: “gnutls-cli -s --crlf imap.variomedia.de -p 4190” (and DHEHEHEHE too if you add “--priority='PFS:!ECDHE-RSA'”). Tests are passing everywhere too.
On Apr 29, 2014, at 3:44 AM, Hynek Schlawack <hs@ox.cx> wrote:
If anyone else has some applications they run, please try out pre5!
Look at all the ECDHEHEHE: “gnutls-cli -s --crlf imap.variomedia.de -p 4190” (and DHEHEHEHE too if you add “--priority='PFS:!ECDHE-RSA'”).
Okay I can't even tell when TLS things are a joke any more. Is 'ECDHEHEHE' a real cipher suite or are you just laughing? ;-) -g
On Apr 29, 2014, at 3:16 AM, HawkOwl <hawkowl@atleastfornow.net> wrote:
I've upgraded <https://glyph.im/> (and therefore <https://glyph.twistedmatrix.com/> and <https://pip2014.com/> and <https://tm.tl/> and a number of other sites that nobody cares about) to the prerelease: <https://asciinema.org/a/9216>. Smooth sailing so far, except for this one peculiarity; it crashes ssltest now: <https://www.ssllabs.com/ssltest/analyze.html?d=tm.tl> This might have nothing to do with the prerelease (for unrelated reasons I had to perform some other upgrades before I got around to it). Also it looks like a bug on ssllabs' side of things, not a problem with Twisted. But if someone slightly more experienced with TLS wanted to look at the traffic from that server it might be interesting. -glyph
On 1 May 2014, at 13:28, Glyph wrote:
When I connect to the hosts you mention using openssl (don’t forget to set -servername if you play along) I only get TLSv1. Is it possible that there’s some custom TLS code laying around? —h P.S. The cert chain is apparently completely wrong: http://glui.me/?i=ek3zvx7v2wrlsgm/2014-05-01_at_13.55.png/ Apparently you send out an anchor but missing an intermediate certificate?
FWIW, https://www.ssllabs.com/ssltest/analyze.html?d=blog.dreid.org is on 14.0pre5, and it seems to work, so… (it even gets A+!!!!!) -hawkowl On 1 May 2014, at 19:56, Hynek Schlawack <hs@ox.cx> wrote:
On May 1, 2014, at 4:56 AM, Hynek Schlawack <hs@ox.cx> wrote:
When I connect to the hosts you mention using openssl (don’t forget to set -servername if you play along) I only get TLSv1. Is it possible that there’s some custom TLS code laying around?
As far as I can see, only <https://github.com/glyph/txsni>. It constructs the CertificateOptions in <https://github.com/glyph/txsni/blob/master/txsni/only_noticed_pypi_pem_after...> (whose name suggests a change I need to make to this library). Am I forgetting some cool new options to CertificateOptions? The machine is an Ubuntu 14.04 machine with libssl1.0.0:libssl1.0.1f-ubuntu-don't-have-a-heart-attack-it's-actually-g (I seriously wish they wouldn't do that with security patches). Any other packages I should be looking for? -glyph
On 1 May 2014, at 21:28, Glyph Lefkowitz wrote:
If you want DHE, you need to load DH parameters: http://twisted.readthedocs.org/en/latest/core/howto/ssl.html#tls-protocol-op... too. Why your server only accepts TLSv1 is beyond me off the cuff.
Well, that’s what distributions do. *shrug* They don’t update your software so nothing breaks; they just fix the security issues (thus it’s not necessarily g, Ubuntu’s fix *can* be very different from what OpenSSL did.
On May 1, 2014, at 1:08 PM, Hynek Schlawack <hs@ox.cx> wrote:
I'm going to make txsni use pem, and then get the automagical DH params version with 0.4 ;-).
Why your server only accepts TLSv1 is beyond me off the cuff.
Oh hah, I think I got it: in order to do SNI with OpenSSL, you need an _initial_ context. For me, in txSNI, that's an incredibly poorly-set-up one just specifying TLSv1_METHOD, here: <https://github.com/glyph/txsni/blob/master/txsni/snimap.py#L11> I should probably have a default DEFAULT.pem symlink in there or something. Another name hosted on that domain is <https://www.ssllabs.com/ssltest/analyze.html?d=glyph.twistedmatrix.com> which doesn't have any of the spurious chain errors. -glyph
On May 1, 2014, at 4:56 AM, Hynek Schlawack <hs@ox.cx> wrote:
P.S. The cert chain is apparently completely wrong: http://glui.me/?i=ek3zvx7v2wrlsgm/2014-05-01_at_13.55.png/ Apparently you send out an anchor but missing an intermediate certificate?
What even is a pem, how can a chain be correct I don't even know. I used 'cat' to put some stuff into files. This was not crashing ssltest before :). -glyph
Hello everyone, due to a silly mistake on my part, I had to merge in a dependency of the ticket I merged in last prerelease. Tarballs for this prerelease can be found at <http://twistedmatrix.com/Releases/pre/14.0.0pre4>, with the changelog at <http://twistedmatrix.com/Releases/pre/14.0.0pre4/NEWS.txt>. Changes from the previous prerelease include: - Making Twisted Agent do HTTPS hostname verification. (Properly this time) For more information and a full list of changes, check the NEWS.txt file. Please download the tarballs and test them with your applications, so we can make sure we’re all ready for release! -hawkowl
Hi everyone, just a few changed bytes to fix some news file entries. Tarballs for this prerelease can be found at <http://twistedmatrix.com/Releases/pre/14.0.0pre5>, with the changelog at <http://twistedmatrix.com/Releases/pre/14.0.0pre5/NEWS.txt>. Changes from the previous prerelease include: - Newsfile fixes. For more information and a full list of changes, check the NEWS.txt file. Please download the tarballs and test them with your applications, so we can make sure we’re all ready for release! -hawkowl
Sorry for the delay, I've tested that treq works with pre5 in the following scenarios. Python 2.7, no pyopenssl Python 2.7, pyopenssl==0.14 PyPy 2.2.1, no pyopenssl PyPy 2.2.1, pyopenssl==0.14 This is in addition to the testing that treq regularly receives on Twisted Trunk, which has a build currently running: https://travis-ci.org/dreid/treq/builds/23955777 -David On Sat, Apr 26, 2014 at 1:35 AM, HawkOwl <hawkowl@atleastfornow.net> wrote:
On 29 Apr 2014, at 12:16, HawkOwl wrote:
If anyone else has some applications they run, please try out pre5!
Look at all the ECDHEHEHE: “gnutls-cli -s --crlf imap.variomedia.de -p 4190” (and DHEHEHEHE too if you add “--priority='PFS:!ECDHE-RSA'”). Tests are passing everywhere too.
On Apr 29, 2014, at 3:44 AM, Hynek Schlawack <hs@ox.cx> wrote:
If anyone else has some applications they run, please try out pre5!
Look at all the ECDHEHEHE: “gnutls-cli -s --crlf imap.variomedia.de -p 4190” (and DHEHEHEHE too if you add “--priority='PFS:!ECDHE-RSA'”).
Okay I can't even tell when TLS things are a joke any more. Is 'ECDHEHEHE' a real cipher suite or are you just laughing? ;-) -g
On Apr 29, 2014, at 3:16 AM, HawkOwl <hawkowl@atleastfornow.net> wrote:
I've upgraded <https://glyph.im/> (and therefore <https://glyph.twistedmatrix.com/> and <https://pip2014.com/> and <https://tm.tl/> and a number of other sites that nobody cares about) to the prerelease: <https://asciinema.org/a/9216>. Smooth sailing so far, except for this one peculiarity; it crashes ssltest now: <https://www.ssllabs.com/ssltest/analyze.html?d=tm.tl> This might have nothing to do with the prerelease (for unrelated reasons I had to perform some other upgrades before I got around to it). Also it looks like a bug on ssllabs' side of things, not a problem with Twisted. But if someone slightly more experienced with TLS wanted to look at the traffic from that server it might be interesting. -glyph
On 1 May 2014, at 13:28, Glyph wrote:
When I connect to the hosts you mention using openssl (don’t forget to set -servername if you play along) I only get TLSv1. Is it possible that there’s some custom TLS code laying around? —h P.S. The cert chain is apparently completely wrong: http://glui.me/?i=ek3zvx7v2wrlsgm/2014-05-01_at_13.55.png/ Apparently you send out an anchor but missing an intermediate certificate?
FWIW, https://www.ssllabs.com/ssltest/analyze.html?d=blog.dreid.org is on 14.0pre5, and it seems to work, so… (it even gets A+!!!!!) -hawkowl On 1 May 2014, at 19:56, Hynek Schlawack <hs@ox.cx> wrote:
On May 1, 2014, at 4:56 AM, Hynek Schlawack <hs@ox.cx> wrote:
When I connect to the hosts you mention using openssl (don’t forget to set -servername if you play along) I only get TLSv1. Is it possible that there’s some custom TLS code laying around?
As far as I can see, only <https://github.com/glyph/txsni>. It constructs the CertificateOptions in <https://github.com/glyph/txsni/blob/master/txsni/only_noticed_pypi_pem_after...> (whose name suggests a change I need to make to this library). Am I forgetting some cool new options to CertificateOptions? The machine is an Ubuntu 14.04 machine with libssl1.0.0:libssl1.0.1f-ubuntu-don't-have-a-heart-attack-it's-actually-g (I seriously wish they wouldn't do that with security patches). Any other packages I should be looking for? -glyph
On 1 May 2014, at 21:28, Glyph Lefkowitz wrote:
If you want DHE, you need to load DH parameters: http://twisted.readthedocs.org/en/latest/core/howto/ssl.html#tls-protocol-op... too. Why your server only accepts TLSv1 is beyond me off the cuff.
Well, that’s what distributions do. *shrug* They don’t update your software so nothing breaks; they just fix the security issues (thus it’s not necessarily g, Ubuntu’s fix *can* be very different from what OpenSSL did.
On May 1, 2014, at 1:08 PM, Hynek Schlawack <hs@ox.cx> wrote:
I'm going to make txsni use pem, and then get the automagical DH params version with 0.4 ;-).
Why your server only accepts TLSv1 is beyond me off the cuff.
Oh hah, I think I got it: in order to do SNI with OpenSSL, you need an _initial_ context. For me, in txSNI, that's an incredibly poorly-set-up one just specifying TLSv1_METHOD, here: <https://github.com/glyph/txsni/blob/master/txsni/snimap.py#L11> I should probably have a default DEFAULT.pem symlink in there or something. Another name hosted on that domain is <https://www.ssllabs.com/ssltest/analyze.html?d=glyph.twistedmatrix.com> which doesn't have any of the spurious chain errors. -glyph
On May 1, 2014, at 4:56 AM, Hynek Schlawack <hs@ox.cx> wrote:
P.S. The cert chain is apparently completely wrong: http://glui.me/?i=ek3zvx7v2wrlsgm/2014-05-01_at_13.55.png/ Apparently you send out an anchor but missing an intermediate certificate?
What even is a pem, how can a chain be correct I don't even know. I used 'cat' to put some stuff into files. This was not crashing ssltest before :). -glyph
participants (6)
-
David Reid -
Glyph -
Glyph Lefkowitz
-
HawkOwl -
Hynek Schlawack -
Ray Cote