support SSL client auth in stompest.async

[ktdreyer]

I'm attempting to authenticate to STOMP on ActiveMQ that requires SSL clients to present a x509 keypair in order to connect.

For the stompest sync client, it is really simple, I just have to provide the public cert and key to my ssl context with load_cert_chain():

context = ssl.create_default_context()
context.load_cert_chain(certfile="kdreyer.pem", keyfile='kdreyer.key')
...
CONFIG = StompConfig(BROKER, sslContext=context)

... and then I can receive messages in my queue, etc.

Unfortunately this does not work for the stompest async client. Here's the error I'm getting

INFO:stompest.async.protocol:Connecting to server.example.com:61612 ...
DEBUG:stompest.async.protocol:Sending CONNECT frame [version=1.0]
Unhandled error in Deferred:

INFO:stompest.async.listener:Disconnected: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert bad certificate')]
ERROR:stompest.async.listener:Disconnect because of failure: Unexpected connection loss [[('SSL routines', 'ssl3_read_bytes', 'sslv3 alert bad certificate')]]
DEBUG:stompest.async.listener:Calling disconnected errback: Unexpected connection loss [[('SSL routines', 'ssl3_read_bytes', 'sslv3 alert bad certificate')]]

I've been looking over Twisted's docs for Client cert auth, but I'm a bit lost as to where I would set those options in stompest.async. Somewhere in util.py ?

[nikipore]

@ktdreyer: Did you install twisted[tls]?
@cjrh: Please advise.

[cjrh]

My first thought would be that there should be no difference between the sync and async versions, since for both, the ssl context object wraps the underlying socket. However, I see the Twisted code samples that @ktdreyer linked, and it looks a lot more involved than what I was expecting. I don't have any experience with client cert validation, unfortunately.

To be absolutely clear, does it fail if

• twisted[tls] is installed
• an ssl context is created and passed into StompConfig(), exactly like for the sync case?

I realise that in the stompest docs we don't have an explicit TLS example in the async case, but the idea was that it would be configured exactly the same as for the sync case, so I decided not to add one.

If the answer to both of those bullets above is "yes", and it is still failing, then I'm not sure how to proceed without spending a lot more time investigating.

[cjrh]

Also SSLv3 is regarded as insecure and I'm pretty sure it's disabled by default, at least in Python 3.6.

[ktdreyer]

Thanks guys! twisted[tls] is installed in my tests.

You're right, I'm passing an ssl context to StompConfig(), in the exact same way that I do in the synchronous case.

The "ssl3" thing is odd because I've tried specifically disabling it, to no avail:

context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_SSLv3

My guess is that error message is a generic OpenSSL error message and it's hiding the client cert auth failure.

I was able to get this to work by hacking util.py's endpointFactory() method. When I append privateKey=kdreyer.key:certKey=kdreyer.pem to the large string we pass to clientFromString(), it works.

I guess I could pass my own custom endpointFactory to the main Stomp class, but it would be awesome to make this more built-in (or at least documented.) What do you think? I'm happy to write a PR, just let me know your thoughts on the design.

I can write a PR if you like.

[ktdreyer]

After messing around with this today, I was able to get it to work using a custom endpointFactory, and then I came up with this patch that adds the key/cert file args to connect() : #42