Yes. I could see _parseSSL wasn't checking for all the options. So I decided to drop the endpoints for now.
Thanks John On Tue, Sep 1, 2020 at 5:48 AM Glyph <gl...@twistedmatrix.com> wrote: > Super glad you got this working! > > However, what L. Daniel Burr suggested is correct - whether there's an > existing ticket or not, the string endpoint should support all of these > features. > > (However, using pem is fine, too.) > > -g > > On Aug 31, 2020, at 1:16 PM, John Aherne <johnahe...@rocs.co.uk> wrote: > > Thanks for looking all this up. > > I'd already decided to drop the endpoint server from string. > > So I'm using Hynek Schlaweck PEM package to build the certificate options. > > That seems to be working. Anyway I'm getting an A from Qualys at the > moment having reset the _defaultMinimumTLSVersion back to its default of > tlsv1_0 and passing the raiseMinimumTo as TLSVersion.TLS1_2 > > Thanks for the pointers. > > John > > > > On Mon, Aug 31, 2020 at 7:26 PM L. Daniel Burr <ldanielb...@me.com> wrote: > >> Hi John, >> >> I don't think you can accomplish it via a change to the description >> string, because serverFromString relies on the existing _parseSSL function >> is only passing the deprecated ssl method argument to CertificateOptions. >> >> I haven't tried this myself, but I think the solution is to provide your >> own plugin, implementing IPlugin and IStreamServerEndpointStringParser, >> e.g. "MyTLSParser" and use your own description string, e.g., >> "tls:443:raiseMinimumTo=...". >> >> Or maybe there's a ticket somewhere about updating the existing ssl >> description and parser to handle the new CertificateOptions arguments. >> That might be the right thing to implement. >> >> Hope this helps, >> >> L. Daniel Burr >> >> On Aug 31, 2020, at 12:02 PM, John Aherne <johnahe...@rocs.co.uk> wrote: >> >> Thanks. That was quick. >> >> Just wondering how I can add that to my endpoint_description create >> serverfromstring. >> >> Or will I have to drop that. >> >> Let me take a look. >> >> Cheers >> >> John >> >> On Mon, Aug 31, 2020 at 4:58 PM L. Daniel Burr <ldanielb...@me.com> >> wrote: >> >>> Hi John, >>> >>> I think you want >>> https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html, >>> specifically, you want to pass the "raiseMinimumTo" parameter, >>> >>> Hope this helps, >>> >>> L. Daniel Burr >>> >>> On Aug 31, 2020, at 10:47 AM, John Aherne <johnahe...@rocs.co.uk> wrote: >>> >>> I'm using twisted 20.3 and python3.6.8 and Windows 10 >>> >>> I'm using endpoint_description with a tac file to start up a server. >>> >>> But I need to disable tls 1.0 and 1.1. >>> >>> I was hoping to find a parameter I could pass in to make the system only >>> recognise 1.2 and 1.3. But could not find anything that would do that. I >>> thought sslmethod would be what I wanted but that is limited to : >>> >>> Must be one of: "SSLv23_METHOD", "SSLv2_METHOD", "SSLv3_METHOD", >>> "TLSv1_METHOD". If I choose TLSv1_METHOD, TLS1.0 and 1.1 are still enabled >>> and QUALYS complains and downgrades the rating to B >>> In the end I found _defaultMinimumTLSVersion in _sslverify.py. >>> >>> I set this to TLSVersion.TLSv1_2 and that seemed to do the trick. >>> >>> But I don't think I should be doing that. I think I've missed some >>> obvious place where I can pass in a value to change this. >>> >>> Anyone know where I should be looking. >>> >>> Thanks for any info >>> >>> -- >>> *John Aherne* >>> >>> >>> >>> >>> *www.rocs.co.uk <http://www.rocs.co.uk/>* >>> 020 7223 7567 >>> _______________________________________________ >>> Twisted-Python mailing list >>> Twisted-Python@twistedmatrix.com >>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >>> >>> >>> _______________________________________________ >>> Twisted-Python mailing list >>> Twisted-Python@twistedmatrix.com >>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >>> >> >> >> -- >> *John Aherne* >> >> >> >> >> *www.rocs.co.uk <http://www.rocs.co.uk/>* >> 020 7223 7567 >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> > > > -- > *John Aherne* > > > > > *www.rocs.co.uk <http://www.rocs.co.uk/>* > 020 7223 7567 > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > -- *John Aherne* *www.rocs.co.uk <http://www.rocs.co.uk>* 020 7223 7567
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
