evilaliv3
commented
7 years ago probably an up to date solution to add this would be to use OpenSSLCertificateOptions() in place of PrivateCertificate.fromCertificateAndKeyPair()
Closed evilaliv3 closed 7 years ago
evilaliv3
commented
7 years ago probably an up to date solution to add this would be to use OpenSSLCertificateOptions() in place of PrivateCertificate.fromCertificateAndKeyPair()
glyph
commented
7 years ago This report is inaccurate. Put your intermediates into the same pem file as your certificate and key, and txsni will figure out which one is the certificate that matches the private key, and uses the rest as intermediates.
You can see where it passes the intermediates to CertificateOptions here: https://github.com/glyph/txsni/blob/3e9379c1bf9a3ceb4b52b4950afd6f1420fb9a7b/txsni/only_noticed_pypi_pem_after_i_wrote_this.py#L52
Thanks for using TxSNI, though!
Current implementation does not allow to load an intermediate certificate.
This requirement is particular important in order to guarantee that the certificate chain offered by the SSL server is complete and trusted by the client.
As far that i know given the current implementation of twisted certificate validators this could not be implemented just using the function PrivateCertificate.fromCertificateAndKeyPair that is currently used but would require to have a directly a call to pyopenssl API add_extra_chain_cert(intermediate) to attach the intermediate certificates to the context.