Thank you for your reply. > This is a somewhat-known issue that I’ve had bubbling on the backburner for > some time. For a long time PyOpenSSL didn’t automatically load all EC curves > and didn’t provide any API to do so, so Twisted told OpenSSL which curve to > use. Some time ago PyOpenSSL changed this behaviour to automatically load all > curves, which would resolve this issue. This, I understand so far.
> The most comprehensive fix here is to do some history spelunking in PyOpenSSL > to find out what the lowest version is that has this code block[1] in it, and > then only execute the current ecCurve logic if that code block doesn’t appear > to have worked. I don't really get what implies this to me and how I can come around with this issue. What do you mean with "only execute the current ecCurve logic..."? How can this be done? I have the current versions of Twisted and pyOpenSSL running, so how can I make sure that the latter loads the right curve properly? Thank you! > On 24 Aug 2017, at 20:40, Thomas Hartwich <ceebor...@gmx.de> wrote: > > I think I now know why it is not working. As I initially suspected that ECC > could be the reasons, it seems to have come true. No matter what kind of ECC > curve I use, the current implementation of Twisted always uses prime256v1 > curve. Maybe because pyOpenSSL hasn't got full ECC support currently!? (got > it from some comments in _sslverify.py) > > In my setting I use secp521r1 curve and for testing purpose I created a key > pair of prime256v1 and this works with CertificateOptions. If you have a look > at the implementations of twisted.internet._sslverify you will see that > prime256v1 is always used as default curve and it seems that no other curve > is being accepted. This should be the reason why CertificateOptions does not > work for my ECC key. > > But somehow it works even with secp521r1, if I use the > DefaultOpenSSLContextFactory. So do you know any workaround how it can be > fixed that twisted accepts other curves than prime256v1? > > Thank you! > > > Gesendet: Mittwoch, 23. August 2017 um 06:21 Uhr > Von: Glyph <gl...@twistedmatrix.com> > An: "Twisted general discussion" <twisted-python@twistedmatrix.com> > Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server > > > > On Aug 22, 2017, at 9:16 AM, Thomas Hartwich > <ceebor...@gmx.de[mailto:ceebor...@gmx.de]> wrote: > > Yes, you're right for sure. As an alternative I tried to instantiate an > object from twisted.internet._sslverify.OpenSSLCertificateOptions (as it is > used by PrivateCertificate e.g.): > > co = OpenSSLCertificateOptions(privateKey=pkey,certificate=cert_obj) > > Please note that importing names with "._" in them is relying on private API > :). The public alias for this is `twisted.internet.ssl.CertificateOptions` > https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html][https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html]] > > Despite it provides a SSL-context, it does not work similarly to the > options() method I tried before from PrivateCertificate(). > > Can you tell me how I can make use of IOpenSSLServerConnectionCreator to > create a valid SSL-Context for the TLS server in my case? > > You should probably just use CertificateOptions - I still would like to > understand why it doesn't work ;-). > > https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html][https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html]] > is documented here; this is just the interface you should implement (rather > than subclassing ContextFactory and implementing getContext) if you want to > do something totally custom with the OpenSSL API rather than Twisted's API; > I'd still rather understand why Twisted's API, i.e. CertificateOptions, > doesn't work for you. > > -glyph > > Thank you! > > > Gesendet: Sonntag, 20. August 2017 um 22:36 Uhr > Von: Glyph <gl...@twistedmatrix.com[mailto:gl...@twistedmatrix.com]> > An: "Twisted general discussion" > <twisted-python@twistedmatrix.com[mailto:twisted-python@twistedmatrix.com]> > Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server > > > > On Aug 20, 2017, at 9:30 AM, Thomas Hartwich > <ceebor...@gmx.de[mailto:ceebor...@gmx.de][mailto:ceebor...@gmx.de[mailto:ceebor...@gmx.de]]> > wrote: > Ok, I finally got a solution for my problem. As I know, the TLS server was > working with DefaultOpenSSLContextFactory but this only takes file paths to > private key/certificate, I created my own SSL-Context file. > > For anybody who has the same problem: > Please note that this solution will prevent the use of TLS 1.3 when it is > available, among other problems. > > DefaultOpenSSLContextFactory should be deprecated (I hope someone has the > time to do it soon), as is the 'getContext' interface that you're using (you > should be using > https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html][https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html][https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html][https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html]]] > ) so it would be really good to understand what part of the non-deprecated > TLS stack is broken for you. > > -glyph_______________________________________________ Twisted-Python mailing > list > Twisted-Python@twistedmatrix.com[mailto:Twisted-Python@twistedmatrix.com] > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python][https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python]] > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com[mailto:Twisted-Python@twistedmatrix.com] > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python] > _______________________________________________ Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python][https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python]] > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python] _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python] _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
