Home/ Questions/Q 8453145
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T11:41:34+00:00

Currently using a really simple Twisted NameVirtualHost coupled with some JSON config files to

  • 0

Currently using a really simple Twisted NameVirtualHost coupled with some JSON config files to serve really basic content in one Site object. The resources being served by Twisted are all WSGI objects built in flask.

I was wondering on how to go about wrapping the connections to these domains with an SSLContext, since reactor.listenSSL takes one and only one context, it isn’t readily apparent how to give each domain/subdomain it’s own crt/key pair. Is there any way to set up named virtual hosting with ssl for each domain that doesn’t require proxying? I can’t find any Twisted examples that use NameVirtualHost with SSL, and they only thing I could get to work is hook on the reactor listening on port 443 with only one domain’s context?

I was wondering if anyone has attempted this?

My simple server without any SSL processing:

https://github.com/DeaconDesperado/twsrv/blob/master/service.py

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    TLS (the name for the modern protocol which replaces SSL) only very recently supports the feature you’re looking for. The feature is called Server Name Indication (or SNI). It is supported by modern browsers on modern platforms, but not some older but still widely used platforms (see the wikipedia page for a list of browsers with support).

    Twisted has no specific, built-in support for this. However, it doesn’t need any. pyOpenSSL, upon which Twisted’s SSL support is based, does support SNI.

    The set_tlsext_servername_callback pyOpenSSL API gives you the basic mechanism to build the behavior you want. This lets you define a callback which is given access to the server name requested by the client. At this point, you can specify the key/certificate pair you want to use for the connection. You can find an example demonstrating the use of this API in pyOpenSSL’s examples directory.

    Here’s an excerpt from that example to give you the gist:

    def pick_certificate(connection):
    try:
        key, cert = certificates[connection.get_servername()]
    except KeyError:
        pass
    else:
        new_context = Context(TLSv1_METHOD)
        new_context.use_privatekey(key)
        new_context.use_certificate(cert)
        connection.set_context(new_context)

server_context = Context(TLSv1_METHOD)
server_context.set_tlsext_servername_callback(pick_certificate)

    You can incorporate this approach into a customized context factory and then supply that context factory to the listenSSL call.

    • 0