dholth
commented
5 years ago It looks like it is possible to set_alpn_protos inside the set_alpn_select_callback. This means you don't have to append tls-acme/1 to acceptable protocols and complicate the proxy object. You can just say you're using it after the client asks for it.
The acme letsencrypt protocol requires a special certificate if acme-tls/1 is used. acme-tls/1 is negotiated through alpn. I think the necessary hook would be here: https://github.com/glyph/txsni/blob/master/txsni/snimap.py#L95
Wrap cb(context, protocols) in _ContextProxy.set_alpn_select_callback. If the original callback function in twisted/internet/_sslverify.py returns b'acme/1', set the context as in selectContext(self, connection), but look for the certificate in self.acme_mapping[connection.get_servername()] (it might be in a different directory acme/servername.pem)