Hi John, I don't think you can accomplish it via a change to the description string, because serverFromString relies on the existing _parseSSL function is only passing the deprecated ssl method argument to CertificateOptions.
I haven't tried this myself, but I think the solution is to provide your own plugin, implementing IPlugin and IStreamServerEndpointStringParser, e.g. "MyTLSParser" and use your own description string, e.g., "tls:443:raiseMinimumTo=...". Or maybe there's a ticket somewhere about updating the existing ssl description and parser to handle the new CertificateOptions arguments. That might be the right thing to implement. Hope this helps, L. Daniel Burr > On Aug 31, 2020, at 12:02 PM, John Aherne <johnahe...@rocs.co.uk> wrote: > > Thanks. That was quick. > > Just wondering how I can add that to my endpoint_description create > serverfromstring. > > Or will I have to drop that. > > Let me take a look. > > Cheers > > John > > On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielb...@me.com > <mailto:ldanielb...@me.com>> wrote: > Hi John, > > I think you want > https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html > > <https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html>, > specifically, you want to pass the "raiseMinimumTo" parameter, > > Hope this helps, > > L. Daniel Burr > >> On Aug 31, 2020, at 10:47 AM, John Aherne <johnahe...@rocs.co.uk >> <mailto:johnahe...@rocs.co.uk>> wrote: >> >> I'm using twisted 20.3 and python3.6.8 and Windows 10 >> >> I'm using endpoint_description with a tac file to start up a server. >> >> But I need to disable tls 1.0 and 1.1. >> >> I was hoping to find a parameter I could pass in to make the system only >> recognise 1.2 and 1.3. But could not find anything that would do that. I >> thought sslmethod would be what I wanted but that is limited to : >> >> Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", >> "TLSv1_METHOD". >> >> If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled and QUALYS >> complains and downgrades the rating to B >> >> In the end I found _defaultMinimumTLSVersion in _sslverify.py. >> >> I set this to TLSVersion.TLSv1_2 and that seemed to do the trick. >> >> But I don't think I should be doing that. I think I've missed some obvious >> place where I can pass in a value to change this. >> >> Anyone know where I should be looking. >> >> Thanks for any info >> >> -- >> John Aherne >> >> >> >> www.rocs.co.uk <http://www.rocs.co.uk/> >> 020 7223 7567 >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python> > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python> > > > -- > John Aherne > > > > www.rocs.co.uk <http://www.rocs.co.uk/> > 020 7223 7567 > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
