txaws icon indicating copy to clipboard operation
txaws copied to clipboard
verified publisher icon twisted

TLS support includes root certificate management code that should be handled elsewhere

Open exarkun opened this issue 8 years ago • 3 comments

txaws/client/ssl.py is mostly just code that's been obsoleted by improvements to certificate authority certificate handling code in Twisted.

We can probably just get rid of the whole module (after deprecating it, I suppose). Certainly we don't need VerifyingWebClientContext anymore. Instead, we should use BrowserLikePolicyForHTTPS.

This will:

  • reduce complexity of txaws code (in a security-sensitive area)
  • bring support for certificate bundles (which txaws can't currently understand)
  • make Twisted responsible for making sure something good happens on Windows (twisted has Windows CI, txaws does not)

exarkun avatar Apr 05 '17 12:04 exarkun

@Julian asked what's needed to get rid of the "probably" from the issue description so I took another look at the module.

It still looks to me as if this whole module can be deprecated and then eliminated. We'll have to bump up the minimum supported version of Twisted so we can be sure we get BrowserLikePolicyForHTTPS and we should check for TXAWS_CERTS_PATH and respect that in the new codepaths (and also deprecate it).

So, yea, anyone who wants to can go ahead and deprecate this thing.

exarkun avatar Apr 27 '17 19:04 exarkun

AFAICT, 15.5.0, which is the current minimum version, already had BrowserLikePolicyForHTTPS, and used it by default in Agent:

https://twistedmatrix.com/documents/15.5.0/api/twisted.web.client.Agent.html

Julian avatar May 04 '17 16:05 Julian

Aright, I cowboy coded together some stuff in https://github.com/twisted/txaws/tree/deprecate-t-c-ssl which looks like it should get 80% of the way there to my layman's eye, but it exhausted me a bit, so will have to leave it there for now till I catch a second wind.

Julian avatar May 04 '17 16:05 Julian