[Twisted-Python] Twisted 16.3.0 Prerelease 2 Announcement
Paweł Miech
pawelmhm at gmail.com
Tue Jul 12 02:33:03 MDT 2016
> DefaultOpenSSLContextFactory should have been deprecated a long time ago.
It’s insecure, and in particular does not set a cipher string, so it uses
DEFAULT. That will have all kinds of messed up priorities. For that reason,
you should adjust your code to use OpenSSLCertificateOptions or, even
better, use the TLS endpoint directly.The TL;DR is: yes, it seems that
DefaultOpenSSLContextFactory produces a context that is genuinely
unacceptable for HTTP/2.
Indeed it all works fine with endpoints. Thanks!
I was not aware that DefaultOpenSSLContextFactory is deprecated. There is
no warning about it anywhere. It seems that is is very widely used by
users, I just did some github search now and found around 5k occurences of
people using it:
https://github.com/search?utf8=%E2%9C%93&q=defaultopensslcontextfactory&type=Code&ref=searchresults
If you google for "ssl in twisted" you will also find articles that
recommend it. Since so many people use it, maybe it could be updated to be
more secure? If it does not make sense to update it then perhaps it would
be good to deprecate it so that it does not confuse users?
2016-07-12 9:56 GMT+02:00 Tristan Seligmann <mithrandi at mithrandi.net>:
> On Tue, 12 Jul 2016 at 09:43 Cory Benfield <cory at lukasa.co.uk> wrote:
>
>> For that reason, you should adjust your code to use
>> OpenSSLCertificateOptions or, even better, use the TLS endpoint directly.
>>
>> The exported name of this class is actually just "CertificateOptions",
> fwiw.
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20160712/854af023/attachment-0002.html>
More information about the Twisted-Python
mailing list