New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for client x509 authentication in Twisted #35
Conversation
Codecov Report
@@ Coverage Diff @@
## master #35 +/- ##
==========================================
+ Coverage 88.93% 89.13% +0.19%
==========================================
Files 11 11
Lines 768 782 +14
Branches 105 106 +1
==========================================
+ Hits 683 697 +14
Misses 58 58
Partials 27 27
Continue to review full report at Codecov.
|
It does make sense to have this upstream indeed. Would you rather I submit it? |
Yeah, if you've got time this week to do it, that'd be great. Otherwise I can get to in Soon™ |
Create the connection with a client certificate, if configured to do so. fixes fedora-infra#14 Signed-off-by: Jeremy Cline <jcline@redhat.com>
0ef393c
to
e83bf6e
Compare
parameters.host, | ||
trustRoot=ca_cert, | ||
clientCertificate=client_cert, | ||
extraCertificateOptions={"raiseMinimumTo": ssl.TLSVersion.TLSv1_2}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! 🎉
To make it generic I would need to get the certificates from pika's Am I missing something? I looks like it's intentional that I don't get access to the loaded certificates. Are you thinking of another way to make this code generic enough to get it into pika? |
You're not missing something, I made it no further than thinking "it'd be nice if this Just Worked" and a cursory investigation of the pyOpenSSL object before I bailed and loaded things from the config. Given that pyOpenSSL is supposed to be replaced with cryptography (I don't know if Twisted has started on this or not), I don't think it's worth seeing if it's even possible to extract enough information from the object to construct the Twisted object. It'd be nice to revisit at some point, but this isn't a huge amount of boilerplate. Maybe a nice middle ground for the present is to document what is necessary in pika. I'll see about making a PR for that. |
Yeah it would be nice to have it documented there. They have a usage example in the |
Create the connection with a client certificate, if configured to do so.
@abompard As an aside, what do you think about taking something like this and getting it into upstream pika? It seems like if the SSL context has client certs set, we should automatically be a) setting auth to EXTERNAL, and b) producing the correct twisted connection parameters from the pika parameters.