I think ACME_TLS_1 is a sufficiently high-entropy string that the likelihood of brokenness from this approach is basically zero.
-g > On Mar 23, 2019, at 9:20 PM, Daniel Holth <dho...@gmail.com> wrote: > > All we have to do is have some kind of per connection certificate store or > flag. If acme is in the first packet and the special certificate exists, send > it. Otherwise send the normal certificate, for a very short window of > possible brokenness. Letsencrypt may or may not require correct alpn > negotiation. Should be simple. > > I'm happy running the acme client separately and listing my domain instead of > doing it all on demand inside twisted. > > > On Sat, Mar 23, 2019, 23:59 Glyph <gl...@twistedmatrix.com > <mailto:gl...@twistedmatrix.com>> wrote: > > > > On Mar 23, 2019, at 4:06 PM, Daniel Holth <dho...@gmail.com > > <mailto:dho...@gmail.com>> wrote: > > > > HOLY REGEX BATMAN > > > > class _ConnectionProxy(object): > > > > def bio_write(self, buf): > > if ACME_TLS_1 in buf: > > self.acme_tls_1 = True > > self.bio_write = self._obj.bio_write > > return self._obj.bio_write(buf) > > Now we can choose the acme certificate store in the sni callback and > > make letsencrypt happy! > > 1. Gross > 2. Hooray! > > -g > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python> > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
