New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server-side TLS Server Name Indication (SNI) support #4887
Comments
This ticket should be for server-side support. I don't know what's required client-side yet. |
pyOpenSSL 0.13 supports SNI. For a server, what you do is call While not the prettiest API (not least because it forces a lot of OpenSSL specifics onto you), it's actually all accessible already, without any particular additional support from Twisted. So from that point of view, this ticket is actually resolved. The client-side support is actually harder, because there currently is no way in the Twisted SSL client-side APIs to specify which hostname you want to talk to. So with pyOpenSSL 0.13 and current Twisted, server-side is ugly but possible and client-side is not possible at all. |
Replying to exarkun: Thanks for this update, and thanks even more for actually implementing the requisite SNI wrappers. I think that we should probably have some explicit facility to do SNI so that it can get communicated down to layers like HTTP without OpenSSL specifics. Also, anyone who takes on the client portion of this implementation should be aware of #5190. |
Any plans to actually do this or are we going to leave txsni for a while and see how it evolves? |
Replying to hynek:
I'd like to have SNI support within Twisted proper, but txsni is an extremely opinionated implementation and I'm not sure if we should go the same way. The TxSNI endpoint requires you to have a directory full of certificates, and assumes you're going to have the same factory backing each one. A fully flexible implementation would require some way to select which factory to use for each certificate, except that breaks the Also, So, I don't know. Should we just roll txsni's endpoint in and then worry about these other issues later? |
I’m starting to be rather positive about external dependencies to Twisted since it lowers the general barriers of contributions. I would suggest the following:
IOW let it look less like a hack and more like an official thing to use and then let’s see what happens. I would recommend you to just steal my general docs style from e.g. https://github.com/hynek/attrs/tree/master/docs it works very well and you just have to “fill in the blanks”. |
This is slightly off-topic, but I just ran into an issue implementing SNI in my application that probably needs to be taken into consideration for any SNI implementation that makes its way into Twisted. The verification settings (VERIFY_PEER, verify callback, etc.) are set on the context, but they are also per-connection state. The connection settings are initialized from the context settings when the connection is initialized, meaning that calling |
Replying to mithrandi:
Oh wow. Uh, hrm. This is an interesting problem :-). Thank you very much for reporting it. |
Replying to evilalive:
Nope. Would you like to contribute something? :)
It would definitely require work, but as txsni shows, you can definitely do it with the current code. |
Also of interest: https://txacme.readthedocs.io/en/latest/ |
So, I guess the solution here really ought to be absorbing txsni, but only after txsni implements Deferred support - glyph/txsni#17 |
|
This depends on PyOpenSSL supporting SNI.
This should modify the SSL endpoint string description syntax so that existing applications will inherit it seamlessly.
Searchable metadata
The text was updated successfully, but these errors were encountered: