A quick git blame says that it landed in https://github.com/pyca/pyopenssl/commit/6c6bf865acdd3c5ca5f47b1dbc2903023fd286b6 <https://github.com/pyca/pyopenssl/commit/6c6bf865acdd3c5ca5f47b1dbc2903023fd286b6>, which exists in 17.0.0+. We require 16.0.0+, so it ought to be a relatively simple version check.
- Amber > On 25 Aug 2017, at 18:19, Cory Benfield <c...@lukasa.co.uk> wrote: > > This is a somewhat-known issue that I’ve had bubbling on the backburner for > some time. For a long time PyOpenSSL didn’t automatically load all EC curves > and didn’t provide any API to do so, so Twisted told OpenSSL which curve to > use. Some time ago PyOpenSSL changed this behaviour to automatically load all > curves, which would resolve this issue. > > The most comprehensive fix here is to do some history spelunking in PyOpenSSL > to find out what the lowest version is that has this code block[1] in it, and > then only execute the current ecCurve logic if that code block doesn’t appear > to have worked. > > Cory > > > [1]: > https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/SSL.py#L632-L636 > >> On 24 Aug 2017, at 20:40, Thomas Hartwich <ceebor...@gmx.de> wrote: >> >> I think I now know why it is not working. As I initially suspected that ECC >> could be the reasons, it seems to have come true. No matter what kind of ECC >> curve I use, the current implementation of Twisted always uses prime256v1 >> curve. Maybe because pyOpenSSL hasn't got full ECC support currently!? (got >> it from some comments in _sslverify.py) >> >> In my setting I use secp521r1 curve and for testing purpose I created a key >> pair of prime256v1 and this works with CertificateOptions. If you have a >> look at the implementations of twisted.internet._sslverify you will see that >> prime256v1 is always used as default curve and it seems that no other curve >> is being accepted. This should be the reason why CertificateOptions does not >> work for my ECC key. >> >> But somehow it works even with secp521r1, if I use the >> DefaultOpenSSLContextFactory. So do you know any workaround how it can be >> fixed that twisted accepts other curves than prime256v1? >> >> Thank you! >> >> >> Gesendet: Mittwoch, 23. August 2017 um 06:21 Uhr >> Von: Glyph <gl...@twistedmatrix.com> >> An: "Twisted general discussion" <twisted-python@twistedmatrix.com> >> Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server >> >> >> >> On Aug 22, 2017, at 9:16 AM, Thomas Hartwich >> <ceebor...@gmx.de[mailto:ceebor...@gmx.de]> wrote: >> >> Yes, you're right for sure. As an alternative I tried to instantiate an >> object from twisted.internet._sslverify.OpenSSLCertificateOptions (as it is >> used by PrivateCertificate e.g.): >> >> co = OpenSSLCertificateOptions(privateKey=pkey,certificate=cert_obj) >> >> Please note that importing names with "._" in them is relying on private API >> :). The public alias for this is `twisted.internet.ssl.CertificateOptions` >> https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.ssl.CertificateOptions.html] >> >> Despite it provides a SSL-context, it does not work similarly to the >> options() method I tried before from PrivateCertificate(). >> >> Can you tell me how I can make use of IOpenSSLServerConnectionCreator to >> create a valid SSL-Context for the TLS server in my case? >> >> You should probably just use CertificateOptions - I still would like to >> understand why it doesn't work ;-). >> >> https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html] >> is documented here; this is just the interface you should implement (rather >> than subclassing ContextFactory and implementing getContext) if you want to >> do something totally custom with the OpenSSL API rather than Twisted's API; >> I'd still rather understand why Twisted's API, i.e. CertificateOptions, >> doesn't work for you. >> >> -glyph >> >> Thank you! >> >> >> Gesendet: Sonntag, 20. August 2017 um 22:36 Uhr >> Von: Glyph <gl...@twistedmatrix.com[mailto:gl...@twistedmatrix.com]> >> An: "Twisted general discussion" >> <twisted-python@twistedmatrix.com[mailto:twisted-python@twistedmatrix.com]> >> Betreff: Re: [Twisted-Python] SSLContext not valid for TLS Server >> >> >> >> On Aug 20, 2017, at 9:30 AM, Thomas Hartwich >> <ceebor...@gmx.de[mailto:ceebor...@gmx.de][mailto:ceebor...@gmx.de[mailto:ceebor...@gmx.de]]> >> wrote: >> Ok, I finally got a solution for my problem. As I know, the TLS server was >> working with DefaultOpenSSLContextFactory but this only takes file paths to >> private key/certificate, I created my own SSL-Context file. >> >> For anybody who has the same problem: >> Please note that this solution will prevent the use of TLS 1.3 when it is >> available, among other problems. >> >> DefaultOpenSSLContextFactory should be deprecated (I hope someone has the >> time to do it soon), as is the 'getContext' interface that you're using (you >> should be using >> https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html[https://twistedmatrix.com/documents/17.5.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html]] >> ) so it would be really good to understand what part of the non-deprecated >> TLS stack is broken for you. >> >> -glyph_______________________________________________ Twisted-Python mailing >> list >> Twisted-Python@twistedmatrix.com[mailto:Twisted-Python@twistedmatrix.com] >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python] >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com[mailto:Twisted-Python@twistedmatrix.com] >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> _______________________________________________ Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python[https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python] >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
