Re: [Twisted-Python] ISSLTransport.getPeerCertificate returning None?
On 09/12/13 22:19, Laurens Van Houtven wrote: ... but in the server's AMP protocol, self.transport.getPeerCertificate() is still None :/ Unless you set the appropriate verify options on the server side too, the client cert isn't available for inspection. ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] ISSLTransport.getPeerCertificate returning None?
On Tue, Dec 10, 2013 at 9:41 AM, Phil Mayers wrote:
> Unless you set the appropriate verify options on the server side too, the
> client cert isn't available for inspection.
>
A-ha! But I want to do TOFU-POP; the certs are generated by the client, and
there's little point in me signing them (I don't need to be able to verify
that I ever signed them somewhere else).
The context factory I got from PrivateCertificate.options() doesn't seem to
do what I want, so I wrote my own SSL ContextFactory like it's 1999; I used
VERIFY_PEER with a callback that always claims it validated:
class ContextFactory(object):
def getContext(self):
ctx = Context(TLSv1_METHOD)
ctx.use_certificate_file("cert.pem")
ctx.use_privatekey_file("key.pem")
ctx.set_verify(VERIFY_PEER, _verify)
return ctx
def _verify(connection, x509, errorNumber, errorDepth, returnCode):
"""Always pretend the certificate verified.
"""
return True
Does that sound about right, or is there an easier way to do this? (Yeah,
yeah, don't hardcode paths etc :))
cheers
lvh
___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] ISSLTransport.getPeerCertificate returning None?
On 08:41 am, p.may...@imperial.ac.uk wrote: On 09/12/13 22:19, Laurens Van Houtven wrote: ... but in the server's AMP protocol, self.transport.getPeerCertificate() is still None :/ Unless you set the appropriate verify options on the server side too, the client cert isn't available for inspection. twisted.internet.ssl.CertificateOptions sets these by default. If you use it, you shouldn't need to do anything else. Jean-Paul ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] ISSLTransport.getPeerCertificate returning None?
On 10/12/13 13:21, exar...@twistedmatrix.com wrote: On 08:41 am, p.may...@imperial.ac.uk wrote: On 09/12/13 22:19, Laurens Van Houtven wrote: ... but in the server's AMP protocol, self.transport.getPeerCertificate() is still None :/ Unless you set the appropriate verify options on the server side too, the client cert isn't available for inspection. twisted.internet.ssl.CertificateOptions sets these by default. If you use it, you shouldn't need to do anything else. Are you sure about that? It does not match my recollection. ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] ISSLTransport.getPeerCertificate returning None?
Somehow, JP's e-mail did not make it into my inbox :-( Anyway, using the context factory that I got from ssl.PrivateCertificate.options() (which I think is CertificateOptions), I wasn't able to inspect the peer certificate. That's on 13.2. Using the context factory I pasted in a previous e-mail, it's now working great :) cheers lvh ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] Filing Bugs
On 12/09/2013 12:43 PM, Daniel Sank wrote: This is an update because glyph asked about this issue in another thread but I want to put the information where it belongs: 1. Try to log in. Does not accept credentials (login box simply reappears with username and password fields blank). 2. Cannot find a password reset option. Scratch head. 3. Google "twisted password reset". Find this page: http://twistedmatrix.com/trac/reset_password. 4. Ask for password reset. Receive email. 5. Try new password, goto 1. I am unable to reproduce (in Chrome, using HTTPS rather than HTTP). I am able to sign in with newly created user... but resetting the password doesn't work, it gives me a "The email and username must match a known account." message which is quite bogus. I see nothing different between the new account I created, the danielsank account and my real account when using the Admin UI. A second account created with Firefox did show the failure to login, but browser may be unrelated. This is still pretty bad, since password resets don't work, but I can't actually get them to be emailed. I hate Trac so very much. I suspect some issue with cookies, since I've created multiple logins but it keeps trying to log me in as a different one. Might be browser auth history though, hard to tell. Can you try deleting all cookies for twistedmatrix.com and then try the reset again, or perhaps login with last reset password you got? ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] Filing Bugs
> Can you try deleting all cookies for twistedmatrix.com and then try the reset > again, or perhaps login with last reset password you got? 1. Deleted all cookies 2. Asked for password reset 3. Got new password 4. Tried to log in with new password. Does not work. ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
