changes to SSL/TLS in ApplicationRunner in recent AutobahnPython - any new usage examples?

#1

Hi,

We recently updated to the latest AutobahnPython (0.10.5) and Crossbar.io (0.10.4) from slightly earlier versions and our SSL/TLS code, which seemed to have been working fine, broke.

Note: We are planning to self-signed certs. We are using Twisted. We are using Python 2.

Upon investigating what happened, Crossbar.io/config.json still seems to work OK. Crossbar.io starts and runs, and we have a local authenticator component which still connects OK and registers an authentication procedure.

The issue seems to be with a new optional “ssl” parameter that is now passed to the constructor of ApplicationRunner:

class ApplicationRunner(object):

def __init__(self, url, realm, extra=None, debug=False, debug_wamp=False, debug_app=False, ssl=None):

    """

    ...

    :param ssl: (Optional). If specified this should be an

        instance suitable to pass as ``sslContextFactory`` to

        :class:`twisted.internet.endpoints.SSL4ClientEndpoint`` such

        as :class:`twisted.internet.ssl.CertificateOptions`. Leaving

        it as ``None`` will use the result of calling Twisted's

        :meth:`twisted.internet.ssl.platformTrust` which tries to use

        your distribution's CA certificates.

    :type ssl: :class:`twisted.internet.ssl.CertificateOptions`

    """

``

If I understand this correctly, since we want to use self-signed certs (not using our distribution’s CA certs):

  1. Do we need to create this CertificateOptions parameter from our own cert/key?

  2. To save time, is there an example of how to do this somewhere? (If not, since twisted.internet.ssl.optionsForClientTLS() is used in ApplicationRunner for the default case; I guess we can look into using that.)

  3. If the ApplicationRunner client is connecting to a remote Crossbar.io, do we need to have the remote cert/key on the client as well so we can create the CertificateOptions for the connection from them?

Sorry if these are dumb questions - just trying to climb the learning curve.

Thanks very much,

Dave

0 Likes

#2

Hi Dave,

yes, the ssl parameter is new to ApplicationRunner.

To conenct to a server "example.com" that is using a self-signed certificate "certData", you need to

from twisted.internet import ssl

authority = ssl.Certificate.loadPEM(certData)
options = ssl.optionsForClientTLS(u'example.com', authority)

http://twistedmatrix.com/documents/current/core/howto/ssl.html#tls-echo-client

and use "options" for the ssl parameter to ApplicationRunner.

You only need the certificate of that server, not the key (which stays private).

> 1) Do we need to create this CertificateOptions parameter from our own
> cert/key?

Yes, from the certificate. See above.

>
> 2) To save time, is there an example of how to do this somewhere? (If
> not, since twisted.internet.ssl.optionsForClientTLS() is used in
> ApplicationRunner for the default case; I guess we can look into using
> that.)

I don't think we have an example.

>
> 3) If the ApplicationRunner client is connecting to a remote
> Crossbar.io, do we need to have the remote cert/key on the client as
> well so we can create the CertificateOptions for the connection from them?

You either need the CA cert (or the self-signed cert) OR you can disable server verification altogether.

Hope this helps,
Cheers,
/Tobias

···

Am 31.08.2015 um 19:00 schrieb Dave Barndt:

Hi,

We recently updated to the latest AutobahnPython (0.10.5) and
Crossbar.io (0.10.4) from slightly earlier versions and our SSL/TLS
code, which seemed to have been working fine, broke.

Note: We are planning to self-signed certs. We are using Twisted. We are
using Python 2.

Upon investigating what happened, Crossbar.io/config.json still seems to
work OK. Crossbar.io starts and runs, and we have a local authenticator
component which still connects OK and registers an authentication procedure.

The issue *seems* to be with a new optional "ssl" parameter that is now
passed to the constructor of ApplicationRunner:

>
classApplicationRunner(object):
def__init__(self,url,realm,extra=None,debug=False,debug_wamp=False,debug_app=False,ssl=None):
"""
        ...
        :param ssl: (Optional). If specified this should be an
             instance suitable to pass as ``sslContextFactory`` to
            :class:`twisted.internet.endpoints.SSL4ClientEndpoint`` such
            as :class:`twisted.internet.ssl.CertificateOptions`. Leaving
            it as ``None`` will use the result of calling Twisted's
            :meth:`twisted.internet.ssl.platformTrust` which tries to use
            your distribution's CA certificates.
        :type ssl: :class:`twisted.internet.ssl.CertificateOptions`
        """
>

If I understand this correctly, since we want to use self-signed certs
(not using our distribution's CA certs):

1) Do we need to create this CertificateOptions parameter from our own
cert/key?

2) To save time, is there an example of how to do this somewhere? (If
not, since twisted.internet.ssl.optionsForClientTLS() is used in
ApplicationRunner for the default case; I guess we can look into using
that.)

3) If the ApplicationRunner client is connecting to a remote
Crossbar.io, do we need to have the remote cert/key on the client as
well so we can create the CertificateOptions for the connection from them?

Sorry if these are dumb questions - just trying to climb the learning curve.

Thanks very much,
Dave

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/532fe291-eda8-4147-90e3-257f0fd8708a%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/532fe291-eda8-4147-90e3-257f0fd8708a%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes