OK, I think I've got it figured out, but I'm still not sure what to do about it.
In twisted.internet._sslverify.py, there's: _defaultCurveName = u"prime256v1" Then, later, this curve is set as self.ecCurve on OpenSSLCertificateOptions. There appears to be no way to change this, but of course "prime256v1" is not the curve I want. There was a PR recently merged - #928, which uses a PyOpenSSL curve instead of the proxy class which existed prior. However, it still doesn't allow me to pass a curve name or nid - how can I specify a curve of my choice? On Sat, Mar 3, 2018 at 8:14 PM, Justin Myles Holmes <twotonespi...@gmail.com > wrote: > Righto! > > I notice that there's an issue on PyOpenSSL which appears to address this: > > https://github.com/pyca/pyopenssl/pull/636 > > However, it's not clear that this actually moves the issue forward, as it > only provides for getting a PKey from a cryptography EC key, not for > actually using it for TLS. > > One interesting tidbit I've noticed is that txsni does appear to support > TLS with ciphers that use SECP256R1 (also called "NIST P-256" - a curve of > questionable parentage), but not SECP256K1 (a curve used by several > prominent blockchain projects). > > I'm not entirely sure where to turn next. > > > > On Sat, Mar 3, 2018 at 7:06 PM, Glyph <gl...@twistedmatrix.com> wrote: > >> >> >> On Mar 3, 2018, at 2:38 PM, Justin Myles Holmes <twotonespi...@gmail.com> >> wrote: >> >> I'm trying to bend a little bit of custom TLS - one possible use case for >> me is a HendrixDeploy object which uses an ethereum keypair to self-sign a >> certificate. >> >> So I'm wondering: is it currently possible to use an ECC keypair for TLS >> with Twisted? >> >> Here's what I've discovered: >> >> twisted.internet.sssl.ContextFactory has a method, use_privatekey(). >> This thing wants an OpenSSL.crypto.PKey object. And, lo and behold, PKey >> offers a facility, from_cryptography_key(), which attempts to use a key >> from cryptography.io, from whence I'm generating keys anyway. However, >> it expects an RSA or DSA key, not an EC or ECDSA key. >> >> Glyph suggested that, instead of trying to handle PKeys myself, I might >> try loading PEM files with txsni or the like. >> >> I can actually get txsni to work with my cert/keypair, but I don't seem >> to be able to get a client to connect. For example, Firefox tells me >> "SSL_ERROR_NO_CYPHER_OVERLAP". >> >> I tried the same things with SSL4ServerEndpoint, and I get exactly the >> same thing - my protocol's dataReceived method is never run, no output >> appears in the console, but the client gets this same error. >> >> I notice that there's an issue on PyOpenSSL which appears to address this: >> >> >> Looks like your message was truncated before getting to the link :-). >> >> -glyph >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> >> > > > -- > Justin Myles Holmes > justinholmes.com > thisisthebus.com > github.com/jMyles/ > -- Justin Myles Holmes justinholmes.com thisisthebus.com github.com/jMyles/
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
