Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

My earlier replies to this thread were pretty terse, so just to expand on it: > On Jul 13, 2016, at 3:39 AM, Cory Benfield wrote: > > >> On 13 Jul 2016, at 10:00, Paweł Miech > > wrote: >> >> > Anyway, I’ll be spending my Twisted time on this for a while I suspect.

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On Jul 12, 2016, at 12:45 AM, Cory Benfield > wrote: > > >> On 11 Jul 2016, at 20:22, Glyph Lefkowitz > > wrote: >> >> So pyOpenSSL/Cryptography doesn't have SSL_get_current_cipher anywhere? > > get_current_cipher isn’t helpful. In p

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On 13 Jul 2016, at 10:00, Paweł Miech wrote: > > > Anyway, I’ll be spending my Twisted time on this for a while I suspect. > > This will delay HTTP/2 client support, unfortunately. =( > > Isn't it better to get HTTP2 client support and just document things better > for HTTP2? Or maybe even

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> Anyway, I’ll be spending my Twisted time on this for a while I suspect. This will delay HTTP/2 client support, unfortunately. =( Isn't it better to get HTTP2 client support and just document things better for HTTP2? Or maybe even backport some features from CertificateOptions to factory? Default

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On 12 Jul 2016, at 22:04, Glyph Lefkowitz wrote: > > 2 years ago, to be precise: > > https://twistedmatrix.com/trac/ticket/6923 > > > Someone fixing this would be tremendously useful. > > -glyph I tried to get started on this yesterday. Unfortu

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On Jul 12, 2016, at 12:43 AM, Cory Benfield wrote: > > DefaultOpenSSLContextFactory should have been deprecated a long time ago. 2 years ago, to be precise: https://twistedmatrix.com/trac/ticket/6923 Someone fixing this would be tremendously useful. -glyph __

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On 12 Jul 2016, at 17:42, Paweł Miech wrote: > > > Agreed. I’m planning to begin the deprecation process, though it will take > > a little while as we need to remove all uses of it from within the Twisted > > codebase itself, as well as from the documentation. That turns out to be a > > big

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> Agreed. I’m planning to begin the deprecation process, though it will take a little while as we need to remove all uses of it from within the Twisted codebase itself, as well as from the documentation. That turns out to be a bigger task than expected! +1 One final point that I glossed over earl

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On 12 Jul 2016, at 09:33, Paweł Miech wrote: > > If you google for "ssl in twisted" you will also find articles that recommend > it. Since so many people use it, maybe it could be updated to be more secure? > If it does not make sense to update it then perhaps it would be good to > deprecat

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> DefaultOpenSSLContextFactory should have been deprecated a long time ago. It’s insecure, and in particular does not set a cipher string, so it uses DEFAULT. That will have all kinds of messed up priorities. For that reason, you should adjust your code to use OpenSSLCertificateOptions or, even bet

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

On Tue, 12 Jul 2016 at 09:43 Cory Benfield wrote: > For that reason, you should adjust your code to use > OpenSSLCertificateOptions or, even better, use the TLS endpoint directly. > > The exported name of this class is actually just "CertificateOptions", fwiw.

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On 11 Jul 2016, at 20:22, Glyph Lefkowitz wrote: > > So pyOpenSSL/Cryptography doesn't have SSL_get_current_cipher anywhere? get_current_cipher isn’t helpful. In particular, it puts us in an awkward place where we have a connection that has been negotiated for HTTP/2, but we cannot use it.

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On 11 Jul 2016, at 22:04, Paweł Miech wrote: > > This seems to suggest that Ubuntu 16.04 (the system I'm testing) does not > support ciphers required by HTTP2. But nginx article about HTTP2 lists ubuntu > as only linux like system that is able to support HTTP2 over ALPN which is > required

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> In an earlier e-mail you mentioned that you were using Python 3. Is that still true? I can reproduce this in Python 2.7.11 and Python 3.5.2. In both of them Chrome responds with ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY. When I test with curl with verbose flag I see that it also shows information

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On Jul 11, 2016, at 4:42 PM, Craig Rodrigues wrote: > > In an earlier e-mail you mentioned that you were using Python 3. Is that > still true? Seconded - it would be very interesting to know if switching to python 2 fixes your issue. :)___ Twiste

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

On Mon, Jul 11, 2016 at 2:04 PM, Paweł Miech wrote: > 1) They say ciphers should be set to ssl_ciphers > EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; > > This long string does not mean much to me, but reading email from Amber > again I see it differs sl

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

Thanks for input everyone! @Cory > right now it seems like the only thing we could do is detect when HTTP/2 is literally impossible to support (e.g. when there is no TLS 1.2 support) This seems to suggest that Ubuntu 16.04 (the system I'm testing) does not support ciphers required by HTTP2. But

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On Jul 11, 2016, at 3:35 AM, Cory Benfield > wrote: > >> >> On 11 Jul 2016, at 01:45, Glyph Lefkowitz > > wrote: >> >> >>> On Jul 9, 2016, at 10:30 AM, Paweł Miech >> > wrote: >>> >>> My question is: shoul

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On 11 Jul 2016, at 01:45, Glyph Lefkowitz wrote: > > >> On Jul 9, 2016, at 10:30 AM, Paweł Miech > > wrote: >> >> My question is: should user deal with this kind of stuff themselves? If some >> ciphers are blacklisted in HTTP2 shouldn't this be handled somewhere i

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> On Jul 9, 2016, at 10:30 AM, Paweł Miech wrote: > > My question is: should user deal with this kind of stuff themselves? If some > ciphers are blacklisted in HTTP2 shouldn't this be handled somewhere in > Twisted? As others have already said, this should work out of the box, and I'm not sur

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

Hmm, I have it working fine (Python 2.7/3.5, w/ Cryptography wheels on OS X)... The default ciphers in Twisted are: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS So I am not sure why it's not picking up "TLS_ECDHE_R

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

Works for me with txacme and a lets: cert IIRC, when I was trying to use a self signed cert on my local network I got the ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error. DJM On 9 July 2016 at 18:30, Paweł Miech wrote: > Thanks for fixing this. > > Did anyone actually manage to make HTTP2 in Twis

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

Thanks for fixing this. Did anyone actually manage to make HTTP2 in Twisted work with Google-Chrome? I tried to do this today, and it seems this is surprisingly difficult. It turns out that Chrome requires ALPN and it dropped support for NPN. ALPN is only supported with OpenSSL 1.0.2 or above, whi

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

On Sun, Jul 3, 2016 at 3:15 AM, Paweł Miech wrote: > HTTP2 support sounds really exciting. > > > Please let me know if you have any issues, as well as if you don't! If > everything works well, that's a good thing for me to know :) > > I played around with this today and found out that the command

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

Good catch Paweł. I have opened this issue as Twisted issue #8558: https://twistedmatrix.com/trac/ticket/8558 . I believe I know what the fix is and it’s fairly simple, so I’ll try to address this quickly and see if we can ship the fix in either the n

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

> AFAIK this is a known issue : Ah thanks, that's ok. One other thing I noticed a propos HTTP 2 is that it seems that reading relatively large file results in error: "priority.priority.MissingStreamError: 'Stream 1 not in tree'". I created simple gist to recreate this issue see here: https://gist

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

On 3 July 2016 at 11:15, Paweł Miech wrote: > HTTP2 support sounds really exciting. > > > Please let me know if you have any issues, as well as if you don't! If > everything works well, that's a good thing for me to know :) > > I played around with this today and found out that the command you >

Re: [Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement

HTTP2 support sounds really exciting. > Please let me know if you have any issues, as well as if you don't! If everything works well, that's a good thing for me to know :) I played around with this today and found out that the command you recommend: > pip install -U https://twistedmatrix.com/Re