Comments (5)
Verification: OK
is something from the openssl ouput. This is not related to Twisted.
I expect that you will get the same output with any server.
From my tests, openssl s_client
fails with exit code 1.
and the error is clear
139698017736000:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
I got the same output with google.com for example, if I try tls 1.1
$ openssl s_client -connect google.com:443 -tls1_1 -msg
CONNECTED(00000003)
>>> TLS 1.2, RecordHeader [length 0005]
15 03 03 00 02
>>> TLS 1.3, Alert [length 0002], fatal protocol_version
02 46
4027D35B4D790000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
and now try and see the difference in output
openssl s_client -connect google.com:443 -tls1_2 -msg
I am leaving this close for now.
Please double-check.
I am happy to reopen if it's the case.
To me, it still looks like Twisted is ok.
The openssl s_client
is a bit confusing... but it fails.
from twisted.
Hi
Thanks for the report.
Can you please share a complete example for your code using Twisted as HTTPS server?
Have you tried openssl s_client -tls1_1
? I think that -tls1
means any V1 of TLS and not only TLS 1.0
from twisted.
Hi @adiroiban
Thanks for your reply, appreciate it
from twisted.internet import reactor, ssl
from twisted.web.server import Site
from twisted.web.wsgi import WSGIResource
from OpenSSL import SSL
from django.core.wsgi import get_wsgi_application
import os
# Create WSGI resource
wsgi_resource = WSGIResource(reactor, reactor.getThreadPool(), get_wsgi_application())
# Create HTTPS context with SSL/TLS rejection settings
context = ssl.DefaultOpenSSLContextFactory(
certificateFileName='/path/to/cert.pem',
privateKeyFileName='/path/to/key.pem',
sslmethod=SSL.TLSv1_2_METHOD,
)
# Create HTTPS server
site = Site(wsgi_resource)
reactor.listenSSL(8443, site, context)
print('Server running')
# Run the Twisted reactor
reactor.run()
This is my code for using Twisted as HTTPS server
-tls1_1
~$ openssl s_client -connect localhost:8443 -tls1_1
CONNECTED(00000003)
140211323364672:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
from twisted.
A complete and self containted example http://www.sscce.org/
Generate the key+cert
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=localhost"
get the python code
from twisted.internet import reactor, ssl
from twisted.web.server import Site
from twisted.web.resource import Resource
from OpenSSL import SSL
# Create HTTPS context with SSL/TLS rejection settings
context = ssl.DefaultOpenSSLContextFactory(
certificateFileName='cert.pem',
privateKeyFileName='key.pem',
sslmethod=SSL.TLSv1_2_METHOD,
)
class Simple(Resource):
isLeaf = True
def render_GET(self, request):
return b"<html>Hello, world!</html>"
# Create HTTPS server
site = Site(Simple())
reactor.listenSSL(8443, site, context)
print('Server running')
# Run the Twisted reactor
reactor.run()
Try with tls1.1 ... it fails
$ openssl s_client -connect localhost:8443 -tls1_1 -msg
CONNECTED(00000003)
>>> TLS 1.2, RecordHeader [length 0005]
15 03 03 00 02
>>> TLS 1.3, Alert [length 0002], fatal protocol_version
02 46
40D7A6BC4D780000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
EXIT CODE 1
try with tls 1.2, it works
$ openssl s_client -connect localhost:8443 -tls1_2 -msg
You see the whole server certificate and stuff :)
I am closing this.
Freel fre to add more info if you think that this is still an issue.
The openssl output is misleading.
from twisted.
It is working for me with tls_2 actually
SSL handshake has read 2272 bytes and written 281 bytes
Verification error: self signed certificate
but it shows error then, and my problem was and still is why does it show Verification: OK with tls1_1
Why not failed or an error?
Also with this will it be only available for TLS1_2
from twisted.
Related Issues (20)
- Disordered HTTP pipeline response in twisted.web, again HOT 1
- Purge `bytes == str` and `bytes != str` type checks
- Example imap4client.py has Python 2 code (`raw_input`, and Python 2 shebang)
- Use Incremental 24.7.0
- Add some more HTTP server benchmarks
- Clean up GitHub actions warnings
- Update pre-commit hooks HOT 4
- Methods in IMAP4Server class throws exception when copy fails or there is no mailbox HOT 1
- HTML injection in HTTP redirect body
- [trial] builtins.RuntimeError: no running event loop with --reactor=asyncio HOT 3
- Update CodeCov and CodSpeed Github actions
- Release 24.7.0 HOT 21
- t.conch.ssh test failures with openssh-9.8 HOT 3
- `test_http11_server_chunked_response` benchmark is flaky HOT 1
- twisted.internet.address raises a DeprecationWarning for attrs `safe` argument HOT 2
- Regression since 2024.3.0: CopiedFailure relies on parents being settable
- Enforce minimum dependency testing environment
- Speed up chained Deferreds
- Implement benchmark for callLater and reactor.runUntilCurrent(), and speed them up
- Replace Failure._findFailure dependency on bytecode with some mechanism that doesn't rely on bytecode HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from twisted.