[Twisted-Python] "mind" introduced strangely in pb howto
Dear Twisted readers, I am trying to learn to ins and outs of twisted.spread.pb with the official howto as my main point of reference. When I get to the section "Managing Clients of Perspectives" the first sentence reads "In all the IPerspective uses we have shown so far, we ignored the mind argument and created a new Avatar for every connection. This is usually an easy design choice, and it works well for simple cases." This seems odd because nothing in the howto up to this point mentions a "mind argument". Also IPerspective and Avatar are only briefly introduced but never used in example up to this point. I'm not good enough with pb yet to want to suggest an alteration but this confused me enough that I thought I should bring it up. Yours sincerely -- Daniel Sank Department of Physics Broida Hall University of California Santa Barbara, CA 93117 (805)893-3899
I should clarify something: I understand that Avatar and Mind are introduced in the cred section. I'll venture to suggest that the pb section simply refers and links to that.
On Oct 22, 2013, at 11:33 PM, Daniel Sank <sank.daniel@gmail.com> wrote:
I should clarify something:
I understand that Avatar and Mind are introduced in the cred section. I'll venture to suggest that the pb section simply refers and links to that.
This sounds like a clear bug in the documentation, and even if you don't have a fix proposed yet, please feel free to file a documentation ticket for it. The more detail you have about why you found it confusing, the better. -glyph
I think I have figured out what's wrong with the documentation. Some of the chapters are out of order. It looks like the logical flow was broken as new chapters were inserted. For example, the chapter "Authentication with Perspective Broker" refers to "Using Perspective Broker" as the "previous chapter" whereas this is not how the chapters are actually currently ordered.
please feel free to file a documentation ticket for it
I just tried to register so I could do that. When I clicked on the register button after filling out the username/password fields my browser (firefox) brought up a notice that the security certificate is invalid because of unavailable issuance chain information. Knowing absolutely nothing about internet security issues I thought I should mention this and ask if this is expected behavior. Sincerely -- Daniel Sank Department of Physics Broida Hall University of California Santa Barbara, CA 93117
I just tried to register so I could do that. When I clicked on the register button after filling out the username/password fields my browser (firefox) brought up a notice that the security certificate is invalid because of unavailable issuance chain information. Knowing absolutely nothing about internet security issues I thought I should mention this and ask if this is expected behavior.
I wouldn't call that expected behavior, since a) the certificate used on twistedmatrix.com contains (as it should) intermediate CA certs also (see attachments) b) Firefox (but not Chrome) is usually able to dynamically retrieve intermediate CA certs to fill in gaps in the certificate chain Mmmh. Probably you are on a locked down network where a MITM TLS proxy kicks which rewrites the cert. If you care, could you open the page in your browser, double click the small "lock icon" left to the "https://" in the address bar and send a screenshot of the dialog shown (as the one attached)? /Tobias
Am 24.10.2013 um 09:02 schrieb Tobias Oberstein <tobias.oberstein@tavendo.de>:
I just tried to register so I could do that. When I clicked on the register button after filling out the username/password fields my browser (firefox) brought up a notice that the security certificate is invalid because of unavailable issuance chain information. Knowing absolutely nothing about internet security issues I thought I should mention this and ask if this is expected behavior.
I wouldn't call that expected behavior, since
a) the certificate used on twistedmatrix.com contains (as it should) intermediate CA certs also (see attachments)
I’m not sure what you mean with “contains”? It certainly *relies* on one but unfortunately doesn’t send it along (yet): $ openssl s_client -host www.twistedmatrix.com -port 443 CONNECTED(00000003) depth=0 /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAddress=postmaster@twistedmatrix.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAddress=postmaster@twistedmatrix.com verify error:num=27:certificate not trusted verify return:1 depth=0 /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAddress=postmaster@twistedmatrix.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAddress=postmaster@twistedmatrix.com i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA ---
Ah, right. Seems Chrome changed it's behavior .. at one point it wasn't able to load intermediate certs .. and hence I assumed from the dialog that Twisted cert has the intermediate cert contained. Wrong. FWIW, you can manually concatenate certs .. this is what we do (also for StartSSL): $ cat myserver_plain_cert.crt > myserver.crt $ cat ../sub.class1.server.sha2.ca.pem >> myserver.crt $ cat ../ca.pem >> myserver.crt A concatenated cert like above works today without the new code that is upcoming in Twisted. Which is cool also. However: this all does not explain (at least I dont understand) why the OP has that issue showing up .. Firefox is able to load intermediate CA certs from the net .. I have seen it .. also for StartSSL certs. Something is breaking this. Maybe it's MITM TLS, maybe they blocked intermediate cert auto-loading, .. dunno. /Tobias
-----Ursprüngliche Nachricht----- Von: twisted-python-bounces@twistedmatrix.com [mailto:twisted-python- bounces@twistedmatrix.com] Im Auftrag von Hynek Schlawack Gesendet: Donnerstag, 24. Oktober 2013 09:16 An: Twisted general discussion Betreff: Re: [Twisted-Python] "mind" introduced strangely in pb howto
Am 24.10.2013 um 09:02 schrieb Tobias Oberstein <tobias.oberstein@tavendo.de>:
I just tried to register so I could do that. When I clicked on the register button after filling out the username/password fields my browser (firefox) brought up a notice that the security certificate is invalid because of unavailable issuance chain information. Knowing absolutely nothing about internet security issues I thought I should mention this and ask if this is expected behavior.
I wouldn't call that expected behavior, since
a) the certificate used on twistedmatrix.com contains (as it should) intermediate CA certs also (see attachments)
I'm not sure what you mean with "contains"? It certainly *relies* on one but unfortunately doesn't send it along (yet):
$ openssl s_client -host www.twistedmatrix.com -port 443 CONNECTED(00000003) depth=0 /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd dress=postmaster@twistedmatrix.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd dress=postmaster@twistedmatrix.com verify error:num=27:certificate not trusted verify return:1 depth=0 /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd dress=postmaster@twistedmatrix.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/email Address=postmaster@twistedmatrix.com i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA ---
Am 24.10.2013 um 09:48 schrieb Tobias Oberstein <tobias.oberstein@tavendo.de>:
FWIW, you can manually concatenate certs .. this is what we do (also for StartSSL):
$ cat myserver_plain_cert.crt > myserver.crt $ cat ../sub.class1.server.sha2.ca.pem >> myserver.crt $ cat ../ca.pem >> myserver.crt
A concatenated cert like above works today without the new code that is upcoming in Twisted. Which is cool also.
That is completely new to me. Are you sure you’re not mixing up Twisted’s behavior with nginx? If what you say is true, there would have never been the need for #2061 and the monkey patching everyone was doing before it landed. Can you point me at a server where you have deployed TLS like that please?
A concatenated cert like above works today without the new code that is upcoming in Twisted. Which is cool also.
That is completely new to me. Are you sure you're not mixing up Twisted's behavior with nginx?
If what you say is true, there would have never been the need for #2061 and the monkey patching everyone was doing before it landed. Can you point me at a server where you have deployed TLS like that please?
https://crossbardemo.tavendo.de/ws This works for me in Chrome, FF and IE. It is Twisted Web / Autobahn. Nothing in front. Now, using openssl s_client -host crossbardemo.tavendo.de -port 443 spits out errors complaining about "self-signed" cert inside. This might be because I not only included the StartSSL intermediate CA cert, but also their top-level CA cert (which is obviously self-signed). Maybe this is wrong, and one should only include up to (but excluding) root CA cert .. /Tobias
Am 24.10.2013 um 11:10 schrieb Tobias Oberstein <tobias.oberstein@tavendo.de>:
A concatenated cert like above works today without the new code that is upcoming in Twisted. Which is cool also.
That is completely new to me. Are you sure you're not mixing up Twisted's behavior with nginx?
If what you say is true, there would have never been the need for #2061 and the monkey patching everyone was doing before it landed. Can you point me at a server where you have deployed TLS like that please?
https://crossbardemo.tavendo.de/ws
This works for me in Chrome, FF and IE. It is Twisted Web / Autobahn. Nothing in front.
Your server definitely sends three certificates – that’s surprising/confusing. Could you double-check how you’ve achieved that? If you google for chain certs & Twisted you’ll find all kinds of monkey patches to achieve that; and when I run twistd -n web with a pem that has multiple certificates I still get sent only one from the server. I feel like I’m missing something.
Your server definitely sends three certificates - that's surprising/confusing.
Could you double-check how you've achieved that? If you google for chain certs & Twisted you'll find all kinds of monkey patches to achieve that; and when I run twistd -n web with a pem that has multiple certificates I still get sent only one from the server. I feel like I'm missing something.
Ok, sorry, I forgot totally about it .. but this is what we do: https://github.com/crossbario/crossbar/blob/master/crossbar/crossbar/tlsctx.... It indeed relies on "use_certificate_chain_file". Sorry. My fault: it needs patching. /Tobias
Am 24.10.2013 um 12:44 schrieb Tobias Oberstein <tobias.oberstein@tavendo.de>:
Your server definitely sends three certificates - that's surprising/confusing.
Could you double-check how you've achieved that? If you google for chain certs & Twisted you'll find all kinds of monkey patches to achieve that; and when I run twistd -n web with a pem that has multiple certificates I still get sent only one from the server. I feel like I'm missing something.
Ok, sorry, I forgot totally about it .. but this is what we do:
https://github.com/crossbario/crossbar/blob/master/crossbar/crossbar/tlsctx....
It indeed relies on "use_certificate_chain_file".
Sorry. My fault: it needs patching.
Phew, you really got me sweating there. :) Since you’re not using string representations there, you can move to CertificateOptions which has chain files sind 13.1 already (the string support slipped into 13.2 because I don’t know how to Python and it got reverted a few days before the release of 13.1 because of a Python 3 regression).
that server isnt terrible elegant/complete at the moment .. sorry, we#re right now moving our stuff to Amazon EC2 .. but see attached shots. It _is_ Twisted Web 13.1 (release)
-----Ursprüngliche Nachricht----- Von: twisted-python-bounces@twistedmatrix.com [mailto:twisted-python- bounces@twistedmatrix.com] Im Auftrag von Hynek Schlawack Gesendet: Donnerstag, 24. Oktober 2013 10:08 An: Twisted general discussion Betreff: Re: [Twisted-Python] "mind" introduced strangely in pb howto
Am 24.10.2013 um 09:48 schrieb Tobias Oberstein <tobias.oberstein@tavendo.de>:
FWIW, you can manually concatenate certs .. this is what we do (also for StartSSL):
$ cat myserver_plain_cert.crt > myserver.crt $ cat ../sub.class1.server.sha2.ca.pem >> myserver.crt $ cat ../ca.pem >> myserver.crt
A concatenated cert like above works today without the new code that is upcoming in Twisted. Which is cool also.
That is completely new to me. Are you sure you're not mixing up Twisted's behavior with nginx?
If what you say is true, there would have never been the need for #2061 and the monkey patching everyone was doing before it landed. Can you point me at a server where you have deployed TLS like that please?
On Oct 24, 2013, at 12:48 AM, Tobias Oberstein <tobias.oberstein@tavendo.de> wrote:
However: this all does not explain (at least I dont understand) why the OP has that issue showing up .. Firefox is able to load intermediate CA certs from the net .. I have seen it .. also for StartSSL certs. Something is breaking this. Maybe it's MITM TLS, maybe they blocked intermediate cert auto-loading, .. dunno.
Firefox does not load intermediate CA certs from the network. It - and pretty much all other browsers, as far as I know - will sometimes magically cache intermediary certificates. So if you visit the site in a browser that happens to have had the right intermediate CA certificate cached (probably because you visited another StartSSL free site, in twistedmatrix.com's case) then you will get no warning. This is why most people don't actually see a warning on the site :-). But we'll have this problem fixed For Real soon! -glyph
If you care, could you open the page in your browser, double click the small "lock icon" left to the "https://" in the address bar and send a screenshot of the dialog shown (as the one attached)?
Tried. Can't. Whenever I try to log in or out (bear with me) the lock turns into a globe and I see firefox's security warning thingy. Clicking on the globe shows the screens as given in attachments. Now you ask how can I be logging out if I never was able to log in? After submitting the registration info I got the security warning so I left that page and emailed the list. When I went back to twistedmatrix.com to try again I was already logged in. Now when I click the log out link I get the same security warning. Is it possible that only the page resulting from log in/out has this problem? Again, I know next to nothing about web security (unless it involved quantum encryption in which case I'll talk your ears off).
maybe the mailing list disallows >2 attachments .. again: http://picpaste.com/pics/step1-NB1LoEVR.1382620207.png http://picpaste.com/pics/step2-6zVhXeE6.1382620274.png http://picpaste.com/pics/step3-KTao4B2V.1382620308.png -----Ursprüngliche Nachricht----- Von: Tobias Oberstein Gesendet: Donnerstag, 24. Oktober 2013 14:35 An: Twisted general discussion Betreff: AW: [Twisted-Python] "mind" introduced strangely in pb howto Daniel, Ok, I've just tried using Firefox Portable (a self-contained browser not relying on any local installed stuff .. you can run that without Admin rights / installation - caution: when you are on some intranet, the former might be technically possible, but still disallowed .. and admins might still catch you): http://portableapps.com/apps/internet/firefox_portable See attached shots. This shows that the cert on twistedmatrix is somewhat lacking .. Firefox complains .. but I _do_ get HTTPS in the end. Are you surfing from a university (or some other) intranet? If so, the only reason I could think of is that the admins there have setup servers that _intercept_ the initial HTTPS negotiation. How to prove that? Well, that would now get quite technical .. not sure if you want to do that;) Or: just call them up;) If you are surfing from a regular residential dial-up or such: I have no clue why that happens to you .. /Tobias
-----Ursprüngliche Nachricht----- Von: twisted-python-bounces@twistedmatrix.com [mailto:twisted-python- bounces@twistedmatrix.com] Im Auftrag von Daniel Sank Gesendet: Donnerstag, 24. Oktober 2013 09:35 An: Twisted general discussion Betreff: Re: [Twisted-Python] "mind" introduced strangely in pb howto
If you care, could you open the page in your browser, double click the small "lock icon" left to the "https://" in the address bar and send a screenshot of the dialog shown (as the one attached)?
Tried. Can't. Whenever I try to log in or out (bear with me) the lock turns into a globe and I see firefox's security warning thingy. Clicking on the globe shows the screens as given in attachments.
Now you ask how can I be logging out if I never was able to log in? After submitting the registration info I got the security warning so I left that page and emailed the list. When I went back to twistedmatrix.com to try again I was already logged in. Now when I click the log out link I get the same security warning. Is it possible that only the page resulting from log in/out has this problem? Again, I know next to nothing about web security (unless it involved quantum encryption in which case I'll talk your ears off).
Am 24.10.2013 um 08:08 schrieb Daniel Sank <sank.daniel@gmail.com>:
When I clicked on the register button after filling out the username/password fields my browser (firefox) brought up a notice that the security certificate is invalid because of unavailable issuance chain information. Knowing absolutely nothing about internet security issues I thought I should mention this and ask if this is expected behavior.
This will be fixed as soon as the now-in-prerelease Twisted 13.2 has been deployed to Twisted’s homepage (i.e. hopefully soon). Earlier versions don’t allow the specification of chain certificates unfortunately so it’s up to the browsers to fetch them – or not.
participants (4)
-
Daniel Sank
-
Glyph
-
Hynek Schlawack
-
Tobias Oberstein