-
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ALPN/NPN #10
Support ALPN/NPN #10
Conversation
It's also entirely possible that I'm an idiot and that this code is overly complex. Who knows? There aren't any tests, as well, so that makes me nervous. |
Current coverage is 85.31% (diff: 88.27%)@@ master #10 diff @@
==========================================
Files 6 8 +2
Lines 92 361 +269
Methods 0 0
Messages 0 0
Branches 9 21 +12
==========================================
+ Hits 37 308 +271
+ Misses 55 41 -14
- Partials 0 12 +12
|
@Lukasa Looks like codecov disagrees (did it just break) |
Oh okay there are actually no tests. @Lukasa - This actually looks like a fine direction, but it needs some tweaking:
Also we should probably check in with @mithrandi before doing a release |
txacme + h2 seems to work just fine with this branch:
Anything else you need from me? :) |
@mithrandi Huh. Good to know! I am wondering if we need to leave |
Nope; the only "touching" that happens is passing a wrapped host mapping to |
Basically the only thing |
Fantastic, then the cleanup shouldn't matter. |
Could someone put "fixes #9" in the description of this PR? :) |
@mithrandi I stuffed some words into @Lukasa's mouth on the first comment there, hopefully that will do |
Ok, assuming I'm not caught up with family stuff this weekend imma have a swing at @glyph's changes for this PR. |
Ok I've done the first two. The third one I can't do (@glyph incorrectly believed that |
Ok, I added tests. I'm not really happy about this. There are a lot of things I can't easily test in this manner: for example, TxSNI's fallback to use the DEFAULT.pem file is hard to test with Twisted's endpoints because they don't actually let you omit SNI. Anyway, these tests include a basic bit of "does this legitimately work at all" stuff, including for protocol negotiation. So that is something. |
@glyph, you monster! The tests against Twisted 13.2 blow up because IOpenSSLConnectionCreator doesn't exist. So...why did I add it? ;) |
@Lukasa As the one who picked "Twisted 13.2" as the minimum version to test on, I can tell you that the choice was essentially arbitrary; let's just bump the minimum version to whatever we need to support this? |
Twisted 14.0, I think, then. |
So on the coverage front, the thing we seem to be missing is the ALPN stuff. This isn't a surprise: it turns out ubuntu sucks and doesn't have a recent OpenSSL. |
14.0 is the minimum acceptable version of Twisted for anything in production. Before that we don't even verify certs. |
Bump for @glyph. |
@Lukasa If I understand the question for me, it is: Travis-CI isn't covering the NPN stuff in this PR because the base image that Travis is testing with has an OpenSSL that's too old? My solution to that would be: could you submit a separate PR that just bumps the OpenSSL version, either by building one in the travis config, or by selecting a more recent OS to run on travis (perhaps with their "docker" support, I dunno) and then we can land that first? |
da9b4b6
to
492a926
Compare
Oops. I should have landed this some time ago! |
@@ -0,0 +1,45 @@ | |||
-----BEGIN RSA PRIVATE KEY----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On second thought, I don't want to get email from security scanners about this :). Can these keys be generated on the fly (or at least "once per developer") rather than checked in?
@Lukasa - I'd be happy to merge this but if you could remove the private keys from the repo first that would be great. If it would be inordinately difficult, then I suppose it is something I could live with for now, though :) |
We had it before, but we need it explicitly now.
Ok @glyph, this should remove the certs from the repo. |
Many thanks to @alex and @reaperhulk for writing something that makes it really easy to build certs on the fly. |
@sigmavirus24 gets some credit too -- he shepherded at least one of the builder PRs through our review gauntlet :) |
looks around after finding himself in an unfamiliar place, spots a rock, and hides behind it |
what the heck happened to codecov :(. 0% of diff hit now? |
@glyph The secret is in the build log: "Coverage.py warning: No data was collected." Adding |
Oh right, we're using |
Yeah, this is also a facet of the fact that trial changed and now only tests installed code, rather than code that is in the tree. That means that the coverage path is probably no longer right. |
Alrighty, progress made. =D |
Fantastic! Looks good to me. |
@glyph, as discussed, this fixes #9. It's not that small though (+146/-3), so we may want to approach this a different way.