yes, the ssl parameter is new to ApplicationRunner.
To conenct to a server "example.com" that is using a self-signed certificate "certData", you need to
from twisted.internet import ssl
authority = ssl.Certificate.loadPEM(certData)
options = ssl.optionsForClientTLS(u'example.com', authority)
and use "options" for the ssl parameter to ApplicationRunner.
You only need the certificate of that server, not the key (which stays private).
> 1) Do we need to create this CertificateOptions parameter from our own
Yes, from the certificate. See above.
> 2) To save time, is there an example of how to do this somewhere? (If
> not, since twisted.internet.ssl.optionsForClientTLS() is used in
> ApplicationRunner for the default case; I guess we can look into using
I don't think we have an example.
> 3) If the ApplicationRunner client is connecting to a remote
> Crossbar.io, do we need to have the remote cert/key on the client as
> well so we can create the CertificateOptions for the connection from them?
You either need the CA cert (or the self-signed cert) OR you can disable server verification altogether.
Hope this helps,
Am 31.08.2015 um 19:00 schrieb Dave Barndt:
We recently updated to the latest AutobahnPython (0.10.5) and
Crossbar.io (0.10.4) from slightly earlier versions and our SSL/TLS
code, which seemed to have been working fine, broke.
Note: We are planning to self-signed certs. We are using Twisted. We are
using Python 2.
Upon investigating what happened, Crossbar.io/config.json still seems to
work OK. Crossbar.io starts and runs, and we have a local authenticator
component which still connects OK and registers an authentication procedure.
The issue *seems* to be with a new optional "ssl" parameter that is now
passed to the constructor of ApplicationRunner:
:param ssl: (Optional). If specified this should be an
instance suitable to pass as ``sslContextFactory`` to
as :class:`twisted.internet.ssl.CertificateOptions`. Leaving
it as ``None`` will use the result of calling Twisted's
:meth:`twisted.internet.ssl.platformTrust` which tries to use
your distribution's CA certificates.
:type ssl: :class:`twisted.internet.ssl.CertificateOptions`
If I understand this correctly, since we want to use self-signed certs
(not using our distribution's CA certs):
1) Do we need to create this CertificateOptions parameter from our own
2) To save time, is there an example of how to do this somewhere? (If
not, since twisted.internet.ssl.optionsForClientTLS() is used in
ApplicationRunner for the default case; I guess we can look into using
3) If the ApplicationRunner client is connecting to a remote
Crossbar.io, do we need to have the remote cert/key on the client as
well so we can create the CertificateOptions for the connection from them?
Sorry if these are dumb questions - just trying to climb the learning curve.
Thanks very much,
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
To post to this group, send email to autob...@googlegroups.com
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.