I've been trying to create a simple python twisted TLS client/server application based on https://twistedmatrix.com/documents/14.0.0/core/howto/ssl.html#client-authentication and https://twistedmatrix.com/documents/14.0.0/core/howto/ssl.html#using-starttls. Ie, I want to create a plain text connection, then on client issue of a STARTTLS command, switch to a secure connection, with the appropriate certificate authentication. So far, I've had little joy.
My first concern is the client auth example in the URL above is wrong. This seems to suggest the client and server both need "server.pem" (private key and self-signed certificate together) and "public.pem" (the server’s public certificate by itself). My understanding of authentication is that if the client has the server's private key, then this renders the authentication / security largely redundant? Assuming I'm right, how should this example look?
Secondly, as much as I've tried - I'm still struggling to get my head around the way Twisted works generally. Can someone give some illustration to how amend the starttls example in the URL above to incorporate authentication?
Thanks!
My first concern is the client auth example in the URL above is wrong. This seems to suggest the client and server both need "server.pem" (private key and self-signed certificate together) and "public.pem" (the server’s public certificate by itself). My understanding of authentication is that if the client has the server's private key, then this renders the authentication / security largely redundant? Assuming I'm right, how should this example look?
The URL you linked to is the "Client Authentication" section of the TLS documentation. It is demonstrating how you use a client-side certificate to authenticate the client to the server (note that what is common with TLS - HTTPS - is to authenticate the server to the client).
In the case of client authentication, the client does indeed need a private key and a certificate (self-signed or otherwise). This parallels the requirement that in "normal" TLS (where only the server authenticates itself to the client) the server must have a private key and a certificate (self-signed or otherwise).
The client does not need the server's private key, though. It needs its own. (Actually, it will work if both sides have the same key, but this isn't the typical case.)
Secondly, as much as I've tried - I'm still struggling to get my head around the way Twisted works generally. Can someone give some illustration to how amend the starttls example in the URL above to incorporate authentication?
What kind of authentication do you want? If you're doing TLS client authentication, then that is a form of authentication. If that is sufficient, you just need to configure your server properly. The same certificate validation logic that clients normally do for the server certificate presented is done - but in the opposite direction - when you use a client certificate. The server looks for a chain if valid signatures from the certificate to one of its trust roots.