For what it's worth, the implementation of wrapServerTLS is fairly straightforward; you can see it here: https://github.com/glyph/txsni/blob/5014c141a7acef63e20fcf6c36fa07f0cd754ce1/txsni/tlsendpoint.py#L3-L12 <https://github.com/glyph/txsni/blob/5014c141a7acef63e20fcf6c36fa07f0cd754ce1/txsni/tlsendpoint.py#L3-L12>
We just need someone to write up some nice docstrings, update the docs, test cases, etc so we can integrate this into Twisted. Once we've got that, we can quickly begin the process of eliminating SSL4ServerEndpoint. (We should not add an SSL6ServerEndpoint, as that would be as much or more work than adding wrapServerTLS, and a worse implementation strategy.) -glyph > On Mar 28, 2020, at 4:47 PM, Tom Most <[email protected]> wrote: > > Hi Axel, > > I don't know offhand how to produce a string that does what you want, but it > will probably be much easier to instantiate the endpoint classes directly. > > https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.SSL4ServerEndpoint.html > > <https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.SSL4ServerEndpoint.html> > > I think we're missing a SSL6ServerEndpoint, unfortunately. > > Also unfortunately, SSL4ServerEndpoint is an old-style API (it uses > reactor.listenSSL underneath). It takes an IOpenSSLContextFactory that can > customize the OpenSSL context arbitrarily. > > The new API, used by the ssl: client string syntax, is wrapClientTLS > <https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#wrapClientTLS>. > We don't have a wrapServerTLS yet, but it's definitely something we should > have, if you're interested in adding it. You'd wrap that around > TCP4ServerEndpoint and TCP6ServerEndpoint. > > ---Tom > > > On Thu, Mar 26, 2020, at 12:24 PM, Axel Rau wrote: >> Hi, >> >> how can I convert the plugin code below to recent security level, to TLSv3, >> dhparams and extraCertChain ? >> Is OCSP stapling available in Twisted meanwhile? >> >> Thanks, Axel >> >> def makeService(self, options): >> """ >> makeService() returns an IService. >> twisted.internet.application.MultiService[1] is an IService that >> composes other services (it's an IServiceCollection). >> """ >> ipv4_server = endpoints.serverFromString( >> reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format( >> options['port'], >> endpoints.quoteStringArgument(options['cert_path']), >> endpoints.quoteStringArgument(options['key_path']), >> options['ipv4_address'])) >> >> ipv6_server = endpoints.serverFromString( >> reactor, 'ssl:{}:privateKey={}:certKey={}:interface={}'.format( >> options['port'], >> endpoints.quoteStringArgument(options['cert_path']), >> endpoints.quoteStringArgument(options['key_path']), >> endpoints.quoteStringArgument(options['ipv6_address']))) >> >> ipv4 = internet.StreamServerEndpointService(ipv4_server, >> meteo_factory) >> ipv6 = internet.StreamServerEndpointService(ipv6_server, >> meteo_factory) >> root = MultiService() >> ipv4.setServiceParent(root) >> ipv6.setServiceParent(root) >> return root >> >> serviceMaker = MeteoServiceMaker() >> >> --- >> PGP-Key: CDE74120 ☀ computing @ chaos claudius >> >> >> _______________________________________________ >> Twisted-web mailing list >> [email protected] <mailto:[email protected]> >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web >> <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web> >> >> >> Attachments: >> signature.asc > > _______________________________________________ > Twisted-web mailing list > [email protected] <mailto:[email protected]> > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web > <https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web>
_______________________________________________ Twisted-web mailing list [email protected] https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
