changes to SSL/TLS in ApplicationRunner in recent AutobahnPython - any new usage examples?

[Dave Barndt]

Hi,

We recently updated to the latest AutobahnPython (0.10.5) and Crossbar.io (0.10.4) from slightly earlier versions and our SSL/TLS code, which seemed to have been working fine, broke.

Note: We are planning to self-signed certs. We are using Twisted. We are using Python 2.

Upon investigating what happened, Crossbar.io/config.json still seems to work OK. Crossbar.io starts and runs, and we have a local authenticator component which still connects OK and registers an authentication procedure.

The issue *seems* to be with a new optional "ssl" parameter that is now passed to the constructor of ApplicationRunner:

class ApplicationRunner(object):

   def __init__(self, url, realm, extra=None, debug=False, debug_wamp=False, debug_app=False, ssl=None):

       """

       ...

       :param ssl: (Optional). If specified this should be an

            instance suitable to pass as ``sslContextFactory`` to

           :class:`twisted.internet.endpoints.SSL4ClientEndpoint`` such

           as :class:`twisted.internet.ssl.CertificateOptions`. Leaving

           it as ``None`` will use the result of calling Twisted's

           :meth:`twisted.internet.ssl.platformTrust` which tries to use

           your distribution's CA certificates.

       :type ssl: :class:`twisted.internet.ssl.CertificateOptions`

       """

If I understand this correctly, since we want to use self-signed certs (not using our distribution's CA certs):

1) Do we need to create this CertificateOptions parameter from our own cert/key?

2) To save time, is there an example of how to do this somewhere? (If not, since twisted.internet.ssl.optionsForClientTLS() is used in ApplicationRunner for the default case; I guess we can look into using that.)

3) If the ApplicationRunner client is connecting to a remote Crossbar.io, do we need to have the remote cert/key on the client as well so we can create the CertificateOptions for the connection from them?

Sorry if these are dumb questions - just trying to climb the learning curve.

Thanks very much,

Dave

[Tobias Oberstein]

Hi Dave,

yes, the ssl parameter is new to ApplicationRunner.

To conenct to a server "example.com" that is using a self-signed
certificate "certData", you need to

from twisted.internet import ssl

authority = ssl.Certificate.loadPEM(certData)
options = ssl.optionsForClientTLS(u'example.com', authority)

http://twistedmatrix.com/documents/current/core/howto/ssl.html#tls-echo-client

and use "options" for the ssl parameter to ApplicationRunner.

You only need the certificate of that server, not the key (which stays
private).

> 1) Do we need to create this CertificateOptions parameter from our own
> cert/key?

Yes, from the certificate. See above.

>
> 2) To save time, is there an example of how to do this somewhere? (If
> not, since twisted.internet.ssl.optionsForClientTLS() is used in
> ApplicationRunner for the default case; I guess we can look into using
> that.)

I don't think we have an example.

>
> 3) If the ApplicationRunner client is connecting to a remote
> Crossbar.io, do we need to have the remote cert/key on the client as
> well so we can create the CertificateOptions for the connection from
them?

You either need the CA cert (or the self-signed cert) OR you can disable
server verification altogether.

Hope this helps,
Cheers,
/Tobias

> --
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to autobahnws+...@googlegroups.com
> <mailto:autobahnws+...@googlegroups.com>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/autobahnws/532fe291-eda8-4147-90e3-257f0fd8708a%40googlegroups.com
> <https://groups.google.com/d/msgid/autobahnws/532fe291-eda8-4147-90e3-257f0fd8708a%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.