[Twisted-Python] Issue with TLS failure modes

[Robert DiFalco]

I'm having an issue properly handling TLS failure modes. For example
consider the EchoServer and EchoClient code. If I use a TLS client with a
TCP4 server, I do not get a handshake exception until I abort the
connection. But I don't want to abort the connection unless I get a
handshake error.

What I'd like to do is to check the handshake status in my protocol before
my client sends bytes to the server. I'd like my send message to be able to
raise the : [('SSL routines', 'ssl23_read', 'ssl
handshake failure'). But for some reason it seems to get lost until I abort
the connection. Does this sound familiar to anyone?

What I've done for now is setup a Timeout mixin so that after my
client.send, if I do not get an ACK back (which my particular protocol
does) within two minutes, I just abort the connection. This then calls
connectionLost with the correct SSL.Error. But if it's in the error queue
(and found during the course of abortConnection then isn't there a way to
find it sooner? Like before my timeout and before I call send on the client
protocol?

Thanks!
___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Re: [Twisted-Python] Can transport.write() to hostname instead of IP address?

[Sean DiZazzo]

>>You can't use connectSSL in combination with UNIX sockets

I'm working on a rewrite of this system which will use endpoints once
complete.  So far I've got basic server and client endpoints running over
TLS through our reverse proxy.  Its working as expected on a given port,
but I'd rather have the server listen on a unix socket.  Based on your
comment it sounds possible for a client to connect to a socket over TLS,
but is it possible for a server to listen on one over TLS?  I've tried
several different approaches and can't seem to find a way.

I tried wrapping a UnixServerEndpoint with my CertificateOptions, then
tried to find a way to pass a socket path into a SSL4ServerEndpoint
Can't seem to find a corresponding wraperServerTLS to the client function
Tim posted.

Thanks for your help, and thanks for writing Twisted.  :)

~Sean

On Sat, Aug 18, 2018 at 2:12 PM Glyph  wrote:

> On Aug 17, 2018, at 9:24 AM, Sean DiZazzo  wrote:
>
>
> Starting to look over the docs and I realize I might have just been able
> to incorporate the `optionsForClientTLS` into what I was already using.
>
> I was using `reactor.connectSSL()` with a default
> ``ssl.ClientContextFactory()` so I think I can make my own
> sslClientContextFactory with `optionsForClientTLS(hostname=host)` and pass
> that in to connectSSL instead.
>
> It would look something like this:
>
> reactor.connectSSL(hostname, port, MyProtocolClientFactory(),
> optionsForClientTLS(hostname=hostname))
>
> I'll give it a try and play around with it.  If it doesn't work, I'll head
> back over to the endpoint examples.
>
>
> This should indeed work for now, but adopting endpoints is a more
> forward-looking approach; "connectSSL" is a much less flexible API, and
> will hopefully someday be removed.
>
> For example:
>
>
>1. You can't use connectSSL in combination with UNIX sockets
>2. When we (one day) have a client version of the PROXY endpoint, you
>won't be able to use that with connectSSL
>3. You can't do TLS-in-TLS tunneling with connectSSL for backhaul
>connections
>
>
> It's just generally harder to switch to other secure transports if you're
> not using the endpoint APIs.
>
> Thanks for using Twisted,
>
> -glyph
> ___
> Twisted-Python mailing list
> Twisted-Python@twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Re: [Twisted-Python] Using twistd with -c option causes permission error

[Richard Shea]

On Wed, 29 Aug 2018, at 11:04 PM, Jean-Paul Calderone wrote:
> On Tue, Aug 28, 2018 at 5:54 AM Richard Shea
>  wrote:>> 
>> With Apache the process starts as root, reads the key and then makes
>> the apache process run as a different, less powerful, user  but I
>> can't see how you can do the equivalent for twistd ? Am I overlooking
>> something ?>> 
> 
> twistd has `--uid` and `--gid` options for switching to another user
> after `privilegedStartService` runs.  However, I'm not sure how much
> help this will be since there is a strong desire to replace twistd
> with twist and twist does not have these features.  Perhaps someone
> who has been working on twist can explain the preferred workflow using
> that tool.
Thanks. I had no idea that --uid/--gid did anything other than run
entirely as that user/group.
Unfortunately I'm using twistd to just run a wsgi app (Flask) and so, I
assume, that whatever I provide as 'uid' / 'gid' to twistd will just be
what it runs as .
However i'm writing this without having had a chance to try it, maybe
it reads the cert/key stuff as the user who started the process and
then drops down to 'uid/'gid' ... like I way I haven't yet had a
chance to try.
Thanks for your reply.


>  
>> 
>> Thanks
>> 
>>  ___
>>  Twisted-Python mailing list
>> Twisted-Python@twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
> _
> Twisted-Python mailing list
> Twisted-Python@twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Re: [Twisted-Python] Can transport.write() to hostname instead of IP address?

[Glyph]

On Aug 30, 2018, at 1:22 PM, Sean DiZazzo  wrote:
> Can't seem to find a corresponding wraperServerTLS to the client function Tim 
> posted.

There is no wrapServerTLS right now in Twisted itself.

https://github.com/glyph/txsni/blob/master/txsni/tlsendpoint.py 
 is available 
in txsni though; arguably all of txsni should be in Twisted, but certainly this 
should be.  If you wanted to write a PR that added some docstrings and unit 
tests that would be great :).

-glyph___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python