Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#4887] add tls: server endpoint that supports SNI, PEM parsing, and supporting code that changes OpenSSL connection/context building #11861

Open
wants to merge 57 commits into
base: trunk
Choose a base branch
from
Open

[#4887] add tls: server endpoint that supports SNI, PEM parsing, and supporting code that changes OpenSSL connection/context building #11861

wants to merge 57 commits into from

Conversation

glyph
Copy link
Member

@glyph glyph commented May 9, 2023
edited

Scope and purpose

Fixes #4887

This also makes it possible to do twist web --path whatever --listen=tls:path/to/certbot/config/live if path/to/certbot/config/live is a directory containing .pem files contining private keys, certificates, and chains in any layout (as, for example, the certbot live config dir does.

glyph added 6 commits May 8, 2023 17:48
@glyph
sketch of a new OpenSSL connection interface
e1bc428 
as silly as 'IOpenSSLServerConnectionCreatorFactory' sounds as an interface
name, there is a real problem with the previous structure: Context objects are
configured by *every connection* with new ALPN/NPN parameters, which is not the
way that contexts are supposed to work.  The context configuration should
happen once per-context per-*factory*, and the connection configuration should
happen once per *connection*.  However, 'per-context' is important, because an
implementation of SNI requires that the context configuration happen on the
creation of new contexts for other hostnames that may not have been loaded yet,
not just the first context.  so it is being called both too often and not often
enough, and at the wrong time.

client-side it's still worth doing this for symmetry, although the practical
implications are somewhat less pronounced, since you just call the context
methods a bit too often.
@glyph
revert unintentional change
a970ca3
@glyph
revert unintentional change
c3fa3c5
@glyph
wip
cdf8f35
@glyph
twist web --listen tls:/path/to/certbot/config/live now works
56fa1fb
@glyph
remove debug print
19aafd1
@glyph glyph changed the title Certbot layout [#4887] add tls: endpoint that supports SNI, PEM parsing, and supporting code that changes OpenSSL connection/context building May 9, 2023
@glyph glyph changed the title [#4887] add tls: endpoint that supports SNI, PEM parsing, and supporting code that changes OpenSSL connection/context building [#4887] add tls: server endpoint that supports SNI, PEM parsing, and supporting code that changes OpenSSL connection/context building Jun 10, 2023
@glyph glyph mentioned this pull request Jun 28, 2023
Closed
glyph added 16 commits April 4, 2024 17:54
@glyph
improve docstrings
b1323c5
@glyph
refactor certificate building to allow for multiple certs from the sa…
2a1bca8 
…me authority
@glyph
refactoring to decouple reloading-lookup
6222af0
@glyph
WIP: coverage markers
d94a15b
@glyph
WIP: maybe a misguided test
d0da471
@glyph
clean things up and make them a bit more inspectable
8a3e324
@glyph
Merge remote-tracking branch 'origin/trunk' into certbot-layout
8d1186e
@glyph
3.8 compat
f1044a0
@glyph
we should probably have a pre-commit hook to auto-add this
ce4b418
@glyph
move optional imports to the optional imports area
5c38a1c
@glyph
more straggling optional imports
359db47
@glyph
started renaming _sniLookup and found a problem
88527a9
@glyph
type alias for the lookup function
2323d72
@glyph
oh that was very silly of course we can't do that, the whole point is
4ac118a 
supporting wildcards and multi-SAN certs, what was I thinking
@glyph
condense
a768e06
@glyph
never returns None so let's not say it does
c94d0c5
adiroiban
adiroiban reviewed Apr 30, 2024
View reviewed changes
Copy link
Member

@adiroiban adiroiban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a few commnents.

I am not very familiar with the serverFromString API.

I was expecting to see more documentation in this branch, covering how or why to use it.

I don't know when I will have time to fully review this.

I think that as long as it has good documentation and code coverage, we can merge it.

If anyone else is interested in this API, we can update it later.

Thanks again.

src/twisted/internet/_sslverify.py
contextSetupHook: Callable[[SSL.Context], None],
) -> IOpenSSLClientConnectionCreator:
"""
Create a client creator.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is private ... so not a big name

but maybe we can have a better docstring.

To me, this docstring doesn't add any more info that I alreay got by reading the function signature def createClientCreator

Why not call it "factory" ? like getClientOptionsFactory ?

just asking :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code really suffers from a bunch of iterations of evolving an interface, where they all kind of do the same thing but progressively more correctly. OptionsFactory2, OptionsFactory3 looks ugly and doesn't express the differences between them, so I tried to find synonyms ("creator" rather than "factory") to help draw the distinction

src/twisted/internet/_sslverify.py Outdated
Comment on lines 1182 to 1184
# Note: remember client options for testing. See
# twisted.internet.test.test_endpoints.tlsHostnameFromEndpoint
self._ctx._clientOptions = self
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe something like this

"remember client for testing" seemls like a task for the developers

Suggested change
# Note: remember client options for testing. See
# twisted.internet.test.test_endpoints.tlsHostnameFromEndpoint
self._ctx._clientOptions = self
# Note: To help with testing, we keep a reference to the TLS options.
$ See
# twisted.internet.test.test_endpoints.tlsHostnameFromEndpoint
self._ctx._clientOptions = self

@adiroiban adiroiban requested a review from a team April 30, 2024 22:28
@adiroiban
Copy link
Member

I had to deal with Twisted context factory about 10 years ago.
I got it working somehow, and since then I forgot about it.

@glyph if you have time, maybe we can do a 15-30 minutes voice/screen sharing meeting and look into giving some feedack.

I am a bit lost into all the SSL context wrapping API.
I have only worked with IOpenSSLContextFactory and I have a custom implementation, without using much code from Twisted.

@glyph
Copy link
Member Author

glyph commented May 1, 2024

@glyph if you have time, maybe we can do a 15-30 minutes voice/screen sharing meeting and look into giving some feedack.

That would be great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adiroiban adiroiban adiroiban left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
needs-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Server-side TLS Server Name Indication (SNI) support
3 participants
@glyph @adiroiban @chevah-robot