Recently, I’ve been hacking on a thing which has been using Twisted’s AMP
for making remote calls. I’ve developed a bit of a fetish for SSL client
certificates, so I was hoping to use that for authenticating clients. AMP does
have STARTTLS support builtin, but I couldn’t find any examples! Here’s what
I found and figured out, for future hackers:
Always initiate from the client
Until a bug in Twisted is resolved, only the client will be able to
successfully initiate the StartTLS. Here’s a full runnable example.
ssl.pem must include both the certificate and the key. Though the example
doesn’t demonstrate it, certificate authorities to use can also be specified
using the tls_verifyAuthorities parameter (see the API docs for StartTLS).