adopt new Twisted TLS APIs

The code in Synapse uses a subclass of `ssl.ContextFactory` with some manual OpenSSL setup.

Twisted will do quite a lot of this for you (more every day!) and can handle several things that it looks like Synapse isn't doing right now, like service identity validation and [sending server name indication](https://github.com/matrix-org/synapse/issues/1491).

The relevant APIs are:

- Implement [`twisted.internet.interfaces.IOpenSSLClientConnectionCreator`](https://twistedmatrix.com/documents/16.6.0/api/twisted.internet.interfaces.IOpenSSLClientConnectionCreator.html) or [`twisted.internet.interfaces.IOpenSSLServerConnectionCreator`](https://twistedmatrix.com/documents/16.6.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html) rather than subclassing `ContextFactory` if you need to do your own thing.
- Consider using [`optionsForClientTLS`](https://twistedmatrix.com/documents/16.6.0/api/twisted.internet.ssl.html#optionsForClientTLS) for clients, or [`CertificateOptions`](https://twistedmatrix.com/documents/16.6.0/api/twisted.internet.ssl.CertificateOptions.html) (sorry - horrible class name there, I know) for servers, if the default behavior is good enough.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

adopt new Twisted TLS APIs #1691

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

adopt new Twisted TLS APIs #1691

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions