changes to SSL/TLS in ApplicationRunner in recent AutobahnPython - any new usage examples?
154 views
Skip to first unread message
Dave Barndt
Aug 31, 2015, 1:00:29 PM8/31/15
to Autobahn
Hi,
If I understand this correctly, since we want to use self-signed certs (not using our distribution's CA certs):
We recently updated to the latest AutobahnPython (0.10.5) and Crossbar.io (0.10.4) from slightly earlier versions and our SSL/TLS code, which seemed to have been working fine, broke.
Note: We are planning to self-signed certs. We are using Twisted. We are using Python 2.
Upon investigating what happened, Crossbar.io/config.json still seems to work OK. Crossbar.io starts and runs, and we have a local authenticator component which still connects OK and registers an authentication procedure.
The issue *seems* to be with a new optional "ssl" parameter that is now passed to the constructor of ApplicationRunner:
class ApplicationRunner(object): def __init__(self, url, realm, extra=None, debug=False, debug_wamp=False, debug_app=False, ssl=None): """ ... :param ssl: (Optional). If specified this should be an
instance suitable to pass as ``sslContextFactory`` to :class:`twisted.internet.endpoints.SSL4ClientEndpoint`` such as :class:`twisted.internet.ssl.CertificateOptions`. Leaving it as ``None`` will use the result of calling Twisted's :meth:`twisted.internet.ssl.platformTrust` which tries to use your distribution's CA certificates. :type ssl: :class:`twisted.internet.ssl.CertificateOptions` """If I understand this correctly, since we want to use self-signed certs (not using our distribution's CA certs):
1) Do we need to create this CertificateOptions parameter from our own cert/key?
2) To save time, is there an example of how to do this somewhere? (If not, since twisted.internet.ssl.optionsForClientTLS() is used in ApplicationRunner for the default case; I guess we can look into using that.)
3) If the ApplicationRunner client is connecting to a remote Crossbar.io, do we need to have the remote cert/key on the client as well so we can create the CertificateOptions for the connection from them?
Sorry if these are dumb questions - just trying to climb the learning curve.
Thanks very much,
Dave
Tobias Oberstein
Aug 31, 2015, 5:45:33 PM8/31/15
to autob...@googlegroups.com
Hi Dave,
yes, the ssl parameter is new to ApplicationRunner.
To conenct to a server "example.com" that is using a self-signed
certificate "certData", you need to
from twisted.internet import ssl
authority = ssl.Certificate.loadPEM(certData)
options = ssl.optionsForClientTLS(u'example.com', authority)
http://twistedmatrix.com/documents/current/core/howto/ssl.html#tls-echo-client
and use "options" for the ssl parameter to ApplicationRunner.
You only need the certificate of that server, not the key (which stays
private).
> 1) Do we need to create this CertificateOptions parameter from our own
> cert/key?
Yes, from the certificate. See above.
>
> 2) To save time, is there an example of how to do this somewhere? (If
> not, since twisted.internet.ssl.optionsForClientTLS() is used in
> ApplicationRunner for the default case; I guess we can look into using
> that.)
I don't think we have an example.
>
> 3) If the ApplicationRunner client is connecting to a remote
> Crossbar.io, do we need to have the remote cert/key on the client as
> well so we can create the CertificateOptions for the connection from
them?
You either need the CA cert (or the self-signed cert) OR you can disable
server verification altogether.
Hope this helps,
Cheers,
/Tobias
> --
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to autobahnws+...@googlegroups.com
> <mailto:autobahnws+...@googlegroups.com>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/autobahnws/532fe291-eda8-4147-90e3-257f0fd8708a%40googlegroups.com
> <https://groups.google.com/d/msgid/autobahnws/532fe291-eda8-4147-90e3-257f0fd8708a%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
yes, the ssl parameter is new to ApplicationRunner.
To conenct to a server "example.com" that is using a self-signed
certificate "certData", you need to
from twisted.internet import ssl
authority = ssl.Certificate.loadPEM(certData)
options = ssl.optionsForClientTLS(u'example.com', authority)
http://twistedmatrix.com/documents/current/core/howto/ssl.html#tls-echo-client
and use "options" for the ssl parameter to ApplicationRunner.
You only need the certificate of that server, not the key (which stays
private).
> 1) Do we need to create this CertificateOptions parameter from our own
> cert/key?
>
> 2) To save time, is there an example of how to do this somewhere? (If
> not, since twisted.internet.ssl.optionsForClientTLS() is used in
> ApplicationRunner for the default case; I guess we can look into using
> that.)
>
> 3) If the ApplicationRunner client is connecting to a remote
> Crossbar.io, do we need to have the remote cert/key on the client as
> well so we can create the CertificateOptions for the connection from
them?
server verification altogether.
Hope this helps,
Cheers,
/Tobias
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to autobahnws+...@googlegroups.com
> <mailto:autobahnws+...@googlegroups.com>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/autobahnws/532fe291-eda8-4147-90e3-257f0fd8708a%40googlegroups.com
> <https://groups.google.com/d/msgid/autobahnws/532fe291-eda8-4147-90e3-257f0fd8708a%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages