pythontwistedautobahntwisted.internetcrossbar

How to handle certificate in Twisted?

I have an existing code in Python Autobahn which connects to a Crossbar server using WS. I want to make it work on WSS. I have changed Crossbar, and it is working fine. I have tested it using Javascript Autobahn. However, the Python part doesn't connect to Crossbar with the change of protocol.

Although the certificate used in Crossbar server is a DigiCert certified one; but my guess is that the problem is related to the certificate. As I tried checking the certificate using this procedure;

from __future__ import print_function
import sys
from twisted.internet import defer, endpoints, protocol, ssl, task, error

def main(reactor, host, port=443):
    options = ssl.optionsForClientTLS(hostname=host.decode('utf-8'))
    port = int(port)

    class ShowCertificate(protocol.Protocol):
        def connectionMade(self):
            self.transport.write(b"GET / HTTP/1.0\r\n\r\n")
            self.done = defer.Deferred()
        def dataReceived(self, data):
            certificate = ssl.Certificate(self.transport.getPeerCertificate())
            print("OK:", certificate)
            self.transport.abortConnection()
        def connectionLost(self, reason):
            print("Lost.")
            if not reason.check(error.ConnectionClosed):
                print("BAD:", reason.value)
            self.done.callback(None)

    return endpoints.connectProtocol(
        endpoints.SSL4ClientEndpoint(reactor, host, port, options),
        ShowCertificate()
    ).addCallback(lambda protocol: protocol.done)

task.react(main, sys.argv[1:])

it fails.

('BAD:', Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],))

I have already installed the “service_identity” and “idna” packages from PyPI, as the link suggests.

I am trying to either help Twisted to verify the certificate or bypass the verification process.

Solution

  • Apparently, Twisted couldn't verify the certificate. So, manually injecting the key/cert files made the change:

     endpoints.SSL4ClientEndpoint(reactor, host, port, ssl.DefaultOpenSSLContextFactory("key.pem",                                           "cert.pem")),

    However, if the key/cert files are not available, veritication can be simply turned off (not secure, though):

    endpoints.SSL4ClientEndpoint(reactor, host, port, ssl.CertificateOptions(verify=False)),