[Twisted-Python] SNI callback with support for deferreds

Discussion:

Jonathan Stoppani

2015-10-25 11:54:14 UTC

Hello,

A couple of days ago I asked on Stack Overflow about returning a deferred
from an SNI callback and have pyOpenSSL wait for it to fire before
continuing handling the request.

Thanks to some pointers by Gyph I've found a solution ("workaround") for my
problem, involving a fake TLSMemoryBIOProtocol to handle the client hello
until the SNI is received, firing the SNI callback, waiting for it to
callback and then re-feeding the resulting context to the real
TLSMemoryBIOProtocol.

The implementation of this solution is available at
https://gist.github.com/GaretJax/124c523a62ba48c9eec1, and I'd like to
contribute it back to Twisted, however, it has no unit tests and needs some
design decisions/validation.

I've opened a ticket to track it at
https://twistedmatrix.com/trac/ticket/8065. Real-life impediments
permitting, I'm willing to work on it and get the feature supported in
Twisted core.

Anyone willing to help me getting a proper patch?

Best,
Jonathan

P.S.: A big shout-out to Twisted for its excellent TLS support out of the
box. We got a straight A rating out of the box on ssl labs!

Glyph Lefkowitz

2015-10-26 02:37:12 UTC

Permalink

Post by Jonathan Stoppani
Hello,
A couple of days ago I asked on Stack Overflow about returning a deferred from an SNI callback and have pyOpenSSL wait for it to fire before continuing handling the request.
Thanks to some pointers by Gyph I've found a solution ("workaround") for my problem, involving a fake TLSMemoryBIOProtocol to handle the client hello until the SNI is received, firing the SNI callback, waiting for it to callback and then re-feeding the resulting context to the real TLSMemoryBIOProtocol.

Really glad to hear that this worked.

Post by Jonathan Stoppani
The implementation of this solution is available at https://gist.github.com/GaretJax/124c523a62ba48c9eec1 <https://gist.github.com/GaretJax/124c523a62ba48c9eec1>, and I'd like to contribute it back to Twisted, however, it has no unit tests and needs some design decisions/validation.

It also needs a serious overhaul on its indentation - something messed up happened to that code :).

Post by Jonathan Stoppani
I've opened a ticket to track it at https://twistedmatrix.com/trac/ticket/8065 <https://twistedmatrix.com/trac/ticket/8065>. Real-life impediments permitting, I'm willing to work on it and get the feature supported in Twisted core.

Thanks! We don't really support an SNI callback at all (that's purely in the pyOpenSSL layer) so this will be very good to have.

Post by Jonathan Stoppani
Anyone willing to help me getting a proper patch?

What help do you need? I will be happy to do reviews when it's readye. :)

Post by Jonathan Stoppani
P.S.: A big shout-out to Twisted for its excellent TLS support out of the box. We got a straight A rating out of the box on ssl labs!

really glad to hear this! I do plan to quote you on that :)

-glyph

Jonathan Stoppani

2015-10-26 12:37:42 UTC

Permalink

Post by Jonathan Stoppani
The implementation of this solution is available at
https://gist.github.com/GaretJax/124c523a62ba48c9eec1, and I'd like to
contribute it back to Twisted, however, it has no unit tests and needs some
design decisions/validation.
It also needs a serious overhaul on its indentation - something messed up
happened to that code :).

I don't get it, I see it all as PEP8 compliant (will need to adapt spacing
to Twisted's code standards, but that should be all).

Post by Jonathan Stoppani
Anyone willing to help me getting a proper patch?
What help do you need? I will be happy to do reviews when it's readye. :)

Definitely a review. Even before that I would like to know if the approach
as I implemented is ok design wise or if I it needs adaptations. Also, in
which module should the code live?
And then there is this:
https://gist.github.com/GaretJax/124c523a62ba48c9eec1#file-usage-py-L13-L19
(maybe testing will help finding out the exact cause of those symptoms).

P.S.: A big shout-out to Twisted for its excellent TLS support out of the

Post by Jonathan Stoppani
box. We got a straight A rating out of the box on ssl labs!
really glad to hear this! I do plan to quote you on that :)

Feel free to! Maybe remove the "out of the box" repetition. :D
We will use it as edge load balancer and SSL terminator for
http://www.aldryn.com/. Currently we're using Hipache, but it does not
support SNI at all and is written in JS. :-(
We should deploy the new Twisted based implementation during the course of
this week.

Best,
Jonathan

Glyph Lefkowitz

2015-10-27 00:10:57 UTC

Permalink

Post by Glyph Lefkowitz
It also needs a serious overhaul on its indentation - something messed up happened to that code :).
I don't get it, I see it all as PEP8 compliant (will need to adapt spacing to Twisted's code standards, but that should be all).

Uh... nevermind. Must have been some Github stylesheet failing to load for me or something; the code looks fine now.