Re: [Twisted-Python] SSLContext not valid for TLS Server

2017-08-25 Thread Cory Benfield 
This is a somewhat-known issue that I’ve had bubbling on the backburner for 
some time. For a long time PyOpenSSL didn’t automatically load all EC curves 
and didn’t provide any API to do so, so Twisted told OpenSSL which curve to 
use. Some time ago PyOpenSSL changed this behaviour to automatically load all 
curves, which would resolve this issue.

The most comprehensive fix here is to do some history spelunking in PyOpenSSL 
to find out what the lowest version is that has this code block[1] in it, and 
then only execute the current ecCurve logic if that code block doesn’t appear 
to have worked.

Cory


[1]: https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/SSL.py#L632-L636

> On 24 Aug 2017, at 20:40, Thomas Hartwich  wrote:
> 
> I think I now know why it is not working. As I initially suspected that ECC 
> could be the reasons, it seems to have come true. No matter what kind of ECC 
> curve I use, the current implementation of Twisted always uses prime256v1 
> curve. Maybe because pyOpenSSL hasn't got full ECC support currently!? (got 
> it from some comments in _sslverify.py)
> 
> In my setting I use secp521r1 curve and for testing purpose I created a key 
> pair of prime256v1 and this works with CertificateOptions. If you have a look 
> at the implementations of twisted.internet._sslverify you will see that 
> prime256v1 is always used as default curve and it seems that no other curve 
> is being accepted. This should be the reason why CertificateOptions does not 
> work for my ECC key.
> 
> But somehow it works even with secp521r1, if I use the 
> DefaultOpenSSLContextFactory. So do you know any workaround how it can be 
> fixed that twisted accepts other curves than prime256v1?
> 
> Thank you!
>  
> 
> Gesendet: Mittwoch, 23. August 2017 um 06:21 Uhr
> Von: Glyph 
> An: "Twisted general discussion" 
> Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server
> 
>  
> 
> On Aug 22, 2017, at 9:16 AM, Thomas Hartwich 
> mailto:ceebor...@gmx.de]> wrote: 
> 
> Yes, you're right for sure. As an alternative I tried to instantiate an 
> object from twisted.internet._sslverify.OpenSSLCertificateOptions (as it is 
> used by PrivateCertificate e.g.):
> 
> co = OpenSSLCertificateOptions(privateKey=pkey,certificate=cert_obj)
>  
> Please note that importing names with "._" in them is relying on private API 
> :).  The public alias for this is `twisted.internet.ssl.CertificateOptions` 
> https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html]
>  
> 
> Despite it provides a SSL-context, it does not work similarly to the 
> options() method I tried before from PrivateCertificate().
> 
> Can you tell me how I can make use of IOpenSSLServerConnectionCreator to 
> create a valid SSL-Context for the TLS server in my case?
>  
> You should probably just use CertificateOptions - I still would like to 
> understand why it doesn't work ;-).
>  
> https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html]
>  is documented here; this is just the interface you should implement (rather 
> than subclassing ContextFactory and implementing getContext) if you want to 
> do something totally custom with the OpenSSL API rather than Twisted's API; 
> I'd still rather understand why Twisted's API, i.e. CertificateOptions, 
> doesn't work for you.
>  
> -glyph 
> 
> Thank you!
>  
> 
> Gesendet: Sonntag, 20. August 2017 um 22:36 Uhr
> Von: Glyph mailto:gl...@twistedmatrix.com]>
> An: "Twisted general discussion" 
> mailto:twisted-python@twistedmatrix.com]>
> Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server
> 
>  
> 
> On Aug 20, 2017, at 9:30 AM, Thomas Hartwich 
> mailto:ceebor...@gmx.de][mailto:ceebor...@gmx.de[mailto:ceebor...@gmx.de]]>
>  wrote: 
>  Ok, I finally got a solution for my problem. As I know, the TLS server was 
> working with DefaultOpenSSLContextFactory but this only takes file paths to 
> private key/certificate, I created my own SSL-Context file.
> 
> For anybody who has the same problem: 
> Please note that this solution will prevent the use of TLS 1.3 when it is 
> available, among other problems.
>  
> DefaultOpenSSLContextFactory should be deprecated (I hope someone has the 
> time to do it soon), as is the 'getContext' interface that you're using (you 
> should be using 
> https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServ

Re: [Twisted-Python] SSLContext not valid for TLS Server

2017-08-25 Thread Amber Hawkie Brown 
A quick git blame says that it landed in 
https://github.com/pyca/pyopenssl/commit/6c6bf865acdd3c5ca5f47b1dbc2903023fd286b6
 
,
 which exists in 17.0.0+. We require 16.0.0+, so it ought to be a relatively 
simple version check.

- Amber


> On 25 Aug 2017, at 18:19, Cory Benfield  wrote:
> 
> This is a somewhat-known issue that I’ve had bubbling on the backburner for 
> some time. For a long time PyOpenSSL didn’t automatically load all EC curves 
> and didn’t provide any API to do so, so Twisted told OpenSSL which curve to 
> use. Some time ago PyOpenSSL changed this behaviour to automatically load all 
> curves, which would resolve this issue.
> 
> The most comprehensive fix here is to do some history spelunking in PyOpenSSL 
> to find out what the lowest version is that has this code block[1] in it, and 
> then only execute the current ecCurve logic if that code block doesn’t appear 
> to have worked.
> 
> Cory
> 
> 
> [1]: 
> https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/SSL.py#L632-L636
> 
>> On 24 Aug 2017, at 20:40, Thomas Hartwich  wrote:
>> 
>> I think I now know why it is not working. As I initially suspected that ECC 
>> could be the reasons, it seems to have come true. No matter what kind of ECC 
>> curve I use, the current implementation of Twisted always uses prime256v1 
>> curve. Maybe because pyOpenSSL hasn't got full ECC support currently!? (got 
>> it from some comments in _sslverify.py)
>> 
>> In my setting I use secp521r1 curve and for testing purpose I created a key 
>> pair of prime256v1 and this works with CertificateOptions. If you have a 
>> look at the implementations of twisted.internet._sslverify you will see that 
>> prime256v1 is always used as default curve and it seems that no other curve 
>> is being accepted. This should be the reason why CertificateOptions does not 
>> work for my ECC key.
>> 
>> But somehow it works even with secp521r1, if I use the 
>> DefaultOpenSSLContextFactory. So do you know any workaround how it can be 
>> fixed that twisted accepts other curves than prime256v1?
>> 
>> Thank you!
>> 
>> 
>> Gesendet: Mittwoch, 23. August 2017 um 06:21 Uhr
>> Von: Glyph 
>> An: "Twisted general discussion" 
>> Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server
>> 
>> 
>> 
>> On Aug 22, 2017, at 9:16 AM, Thomas Hartwich 
>> mailto:ceebor...@gmx.de]> wrote:
>> 
>> Yes, you're right for sure. As an alternative I tried to instantiate an 
>> object from twisted.internet._sslverify.OpenSSLCertificateOptions (as it is 
>> used by PrivateCertificate e.g.):
>> 
>> co = OpenSSLCertificateOptions(privateKey=pkey,certificate=cert_obj)
>> 
>> Please note that importing names with "._" in them is relying on private API 
>> :).  The public alias for this is `twisted.internet.ssl.CertificateOptions` 
>> https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html]
>> 
>> Despite it provides a SSL-context, it does not work similarly to the 
>> options() method I tried before from PrivateCertificate().
>> 
>> Can you tell me how I can make use of IOpenSSLServerConnectionCreator to 
>> create a valid SSL-Context for the TLS server in my case?
>> 
>> You should probably just use CertificateOptions - I still would like to 
>> understand why it doesn't work ;-).
>> 
>> https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html]
>>  is documented here; this is just the interface you should implement (rather 
>> than subclassing ContextFactory and implementing getContext) if you want to 
>> do something totally custom with the OpenSSL API rather than Twisted's API; 
>> I'd still rather understand why Twisted's API, i.e. CertificateOptions, 
>> doesn't work for you.
>> 
>> -glyph
>> 
>> Thank you!
>> 
>> 
>> Gesendet: Sonntag, 20. August 2017 um 22:36 Uhr
>> Von: Glyph mailto:gl...@twistedmatrix.com]>
>> An: "Twisted general discussion" 
>> mailto:twisted-python@twistedmatrix.com]>
>> Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server
>> 
>> 
>> 
>> On Aug 20, 2017, at 9:30 AM, Thomas Hartwich 
>> mailto:ceebor...@gmx.de][mailto:ceebor...@gmx.de[mailto:ceebor...@gmx.de]]>
>>  wrote:
>> Ok, I finally got a solution for my problem. As I know, the TLS server was 
>> working with DefaultOpenSSLContextFactory but this only takes file paths to 
>> private key/certificate, I created my own SSL-Context file.
>> 
>> For anybody who has the same problem:
>> Please note that this solution will prevent the use of TLS 1.3 when it is 
>> available, among other problems.
>> 
>> DefaultOpenSSLContextFactory should be deprecated (I hope someone has the 
>> time to do it soon), as is the 'getContext' in

[Twisted-Python] HTTP/2 and getPeerCertificate

2017-08-25 Thread Lance Kurisaki 
With HTTP/1.1, I used to be able to call 
request.transport.getPeerCertificate(). When the client uses HTTP/2, however, 
it seems that request.transport is None. How does one access the transport with 
HTTP/2? Thank you...            Lance___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python