adopt new Twisted TLS APIs

The code in Synapse uses a subclass of `ssl.ContextFactory` with some manual OpenSSL setup.

Twisted will do quite a lot of this for you (more every day!) and can handle several things that it looks like Synapse isn't doing right now, like service identity validation and [sending server name indication](https://github.com/matrix-org/synapse/issues/1491).

The relevant APIs are:

- Implement [`twisted.internet.interfaces.IOpenSSLClientConnectionCreator`](https://twistedmatrix.com/documents/16.6.0/api/twisted.internet.interfaces.IOpenSSLClientConnectionCreator.html) or [`twisted.internet.interfaces.IOpenSSLServerConnectionCreator`](https://twistedmatrix.com/documents/16.6.0/api/twisted.internet.interfaces.IOpenSSLServerConnectionCreator.html) rather than subclassing `ContextFactory` if you need to do your own thing.
- Consider using [`optionsForClientTLS`](https://twistedmatrix.com/documents/16.6.0/api/twisted.internet.ssl.html#optionsForClientTLS) for clients, or [`CertificateOptions`](https://twistedmatrix.com/documents/16.6.0/api/twisted.internet.ssl.CertificateOptions.html) (sorry - horrible class name there, I know) for servers, if the default behavior is good enough.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

adopt new Twisted TLS APIs #1691

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

adopt new Twisted TLS APIs #1691

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions