[Twisted-Python] Parameters of twisted.internet.interfaces.ITLSTransport [Was: Re: Request for help with Twisted bindings in M2Crypto]

Glyph Lefkowitz glyph at twistedmatrix.com
Tue Jul 26 00:28:23 MDT 2016

> On Jul 25, 2016, at 16:02, Matěj Cepl <mcepl at cepl.eu> wrote:
> On 2016-07-25, 09:33 GMT, Craig Rodrigues wrote:
>> Earlier this year, I contributed lots of patches to you in M2Crypto to port
>> it to py3k.
>> Now I have shifted efforts to Twisted, where in the past month I have
>> contributed hundreds of patches to help improve py3k support in Twisted.
> Hi,
> can I for a piece of advice on the documentation.
> M2Crypto.SSL.TwistedProtocolWrapper.TLSProtocolWrapper.startTLS
> implements ITLSTransport.startTLS interace method, which first parameter
> is called ``ctx`` and in `the current implementation in M2Crypto`_ it is of
> type control of SSL Context (that's M2Crypto.SSL.Context.Context) or
> whether it is factory generating such Contexts (which is what
> https://twistedmatrix.com/documents/current/api/twisted.internet._newtls.ConnectionMixin.html
> says, at least I understand it in this way). Is my current
> implementation wrong?

Technically speaking, your implementation is wrong because it claims to implement <https://twistedmatrix.com/documents/16.3.0/api/twisted.internet.interfaces.ITLSTransport.html>, which documents the method startTLS <https://twistedmatrix.com/documents/16.3.0/api/twisted.internet.interfaces.ITLSTransport.html#startTLS> to accept a `contextFactory´ which is a provider of either <https://twistedmatrix.com/documents/16.3.0/api/twisted.internet.interfaces.IOpenSSLClientConnectionCreator.html> or <https://twistedmatrix.com/documents/16.3.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html>.  Both of these interfaces return pyOpenSSL-specific objects.  If you want to do TLS with M2Crypto, you must therefore give up on supporting any of Twisted's interfaces directly, because (for example) optionsForClientTLS <https://twistedmatrix.com/documents/16.3.0/api/twisted.internet.ssl.html#optionsForClientTLS> is not going to work with your implementation, since you don't call clientConnectionForTLS on it.

If you want to provide TLS purely with M2Crypto, then you should have interfaces which describe exactly how it should work with M2Crypto.  You can make it take a concrete context if you want, or a factory, whichever makes sense for how you're going to set it up.  Personally my recommendation would be to go in the direction that Twisted itself has been moving and pass a thing that can create Connection objects (or, in OpenSSL-speak, an "SSL*", or in M2Crypto, an _SSLProxy(ssl_new())).  No existing Twisted code which is going to call startTLS() can be made to work with these interfaces without extensive monkey-patching, and even then, anything which expects to be able to cut in at the OpenSSL layer will break.

Basically, Twisted doesn't have a mechanism for abstracting away the TLS backend yet.  I'd really like it if it did!  If you want M2Crypto to be able to do what it's currently trying to do, you could contribute code to Twisted to make things like optionsForClientTLS more abstract, and to isolate the TLS implementation more closely to the TLS wrapper factory.  This would make it easier to adopt Cryptography's TLS API eventually, which is what we'll need to do as pyOpenSSL eventually becomes less relevant.

This is still several years away, of course.  But it would be nice to have some help getting there in advance.


More information about the Twisted-Python mailing list