Twisted Python and TLS - what does the client code need for handshaking? (I thought just public key!)

Question

Forgive me here - despite best efforts this is a rather non-precise way of asking a fairly precise question!

I was recently pointed towards the following website for help on generating a server side key/cert (pem file) for my Twisted Python TLS server: https://twistedmatrix.com/trac/browser/trunk/twisted/test/server.pem

As you can see, the code here generates a PEM file that contains the python source (subsequently removed!) and the certificate, and private key.

From here, I used the following to generate a public key (since pyOpenSSL apparently has no way of exporting it)

openssl x509 -pubkey -noout -in server.pem > public.key

I then used the server.pem file generated above in the "starttls_server.py" sample found here: https://twistedmatrix.com/documents/14.0.0/core/howto/ssl.html

However, the corresponding starttls_client.py example seems to want to use the same "server.pem" file. Surely this is wrong? My (limited!) understand of TLS was that the client would be given a copy of the public key, and this would be used for the handshaking. Nontheless I tried it, and wasn't overly surprised when it didn't work:

Failure: twisted.internet.error.ConnectionRefusedError: Connection was refused by other side: 111: Connection refused.

I also tried specifying the public.key I had exported, but this generated a (seemingly common) empty error from OpenSSL.crypto:

OpenSSL.crypto.Error: []

So with all that explained - can someone tell me how to produce what I need client side, to successfully agree a TLS connection with my server and it's cert/private key?

Thanks :)

EDIT - Following a comment - server.pem and client.crt (as used in my code) now shown below:

Server.pem:

-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDDgvgemYHAmHkk
jkhrwhWABfAMErAQbadkwRgTK2aN4oh2BGsCk1r4nMqZmHMSGwrXNHZ/P9YGodmj
z8IRh7mwyvZipOdLJrHP46KqHiMM8J9vzrOMrbNQMc1zhgTGzCwU0tscGc5wWRkF
RWC2PbNRbwI514/1AUEMAVEfgaXgUOa88TwZ9mX/j2nPxhNo/h0eB69wdMerNNAm
ih46/85+eHl+1pSemdFSpXUJGWw1A2LVw1lubKgVkaM3iYVVl/BXgFaVgfSezpuv
c1AD1Mnwpg5VWalSAvttSTaOobKYtOyUZ+GDi6jOMAgQij0jFZODb+DpuL0Mohqu
pv8jIaYJAgMBAAECggEBAL2pV7mXgN+tChgETwz6ApFnMS8FEfdd6H09NHWkLKCH
mYmjT4v4FtAGiiPmV/rAcQvDwRBAhQd6Cv92k/UdjW2L9uhKwHWO2/+n/Cy7f5UV
+BUml9doygKJzZy77fZMKpco1ZW1Eya5yCPs4ZzozgO5hJdIHka3KLrUrDW8N4Ya
P97nCBtMDPMLLydfeQfyMwfzQyl38NCzQ0gVEsX1OVRHC5O7OYMESbtXZe3khe05
+yYhO7qWpuufD8gw3STbJa0D21cU/n83+e7yMR6zuWt+nRXFuVB4hqjhqugPaen0
aD7/RNavesMLXm4qESrKe1bhhYwM6dc0BbeXZVj5/2ECgYEA/RTSUcoRCUowkhni
c26pRxZLlock/ZgSDhIp0sLLBv1ayXb7UNbQboNC4o9lCQLlPvYCKxgqefwMz1aM
BKW1FYl9M7f/4XNDWlEMYXfnYaqaJF8Sk8EBMoKN/IHOOCFVoItBtn9fyUiDPlqm
+kTXD+xlhsDKvvWVbwYyAL6fG4sCgYEAxcQu3WrXgmbdqHFw8YtoWGvkpDcgdWpS
MURO65cZTdxHRpXC7CrBUEG0thUHINx+rqYjrqCpc0Cy0JBbgxy77kLP2dubLcsq
5n/CMTFKoegUcrj22CSJeKKrK1JVUpzgHA5m3ozFZXzS4/VQXugN+dcHZybTbMp8
n+K14kTQhzsCgYEA4wPhYTJzs7ST+wozAj56o+SQ6zbQ7JWTZIHQeFj5S4zJ+ju7
VZlLoEYoIhhklf+96Ys9CLEFsSRxzS6iLK0D0Yzh/RmI8w+0k/httaSbrhUdbZDG
ljkjvM41VRKPC/SC3Z7s1CpPnrtn1u/0JjzH+WWg8I5Rj5e1csDI67gR+t8CgYEA
v/5doQeAgVBsEINRKq40duMH7YS3NkYp1TqDg6QFJNmdOKFbwvsfAVNIpRx09yoY
smUIbxf6abF954y9yuOybvTd5JqWZDbBR1TwqeE4m0Y708RNoDiYXU1O75fWzYUO
7S3uIFB5srUj57rYc8rFBrACt9mxmARcSLxH54r3BtECgYBuhcBtb9z07pkCdaB2
pNER/wHrW8e8Hv1vch8sVJj+Cq7TUn15rk8zSmUcBNshprCE8LBnUOU5KkJeogRN
1pnLXD8tsGRq+5qVpFs8PsxJSptuzmFauAk1Uy2qdmETJ1XddfVEK2HB0/4LplPt
ZpUigmuNTyg50i40LpusDj46jg==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID+DCCAuACAws5BjANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMCVUsxGDAW
BgNVBAgTD0dsb3VjZXN0ZXJzaGlyZTETMBEGA1UEBxMKR2xvdWNlc3RlcjESMBAG
A1UEAxMJbG9jYWxob3N0MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMSQw
IgYDVQQLExtBdXRvbWF0ZWQgVGVzdGluZyBBdXRob3JpdHkxKTAnBgkqhkiG9w0B
CQEWGnNlY3VyaXR5QHR3aXN0ZWRtYXRyaXguY29tMCAXDTE0MDkxODEyNTIzNFoY
DzIxMTQwODI1MTI1MjM0WjCBvzELMAkGA1UEBhMCVUsxGDAWBgNVBAgTD0dsb3Vj
ZXN0ZXJzaGlyZTETMBEGA1UEBxMKR2xvdWNlc3RlcjESMBAGA1UEAxMJbG9jYWxo
b3N0MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMSQwIgYDVQQLExtBdXRv
bWF0ZWQgVGVzdGluZyBBdXRob3JpdHkxKTAnBgkqhkiG9w0BCQEWGnNlY3VyaXR5
QHR3aXN0ZWRtYXRyaXguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAw4L4HpmBwJh5JI5Ia8IVgAXwDBKwEG2nZMEYEytmjeKIdgRrApNa+JzKmZhz
EhsK1zR2fz/WBqHZo8/CEYe5sMr2YqTnSyaxz+Oiqh4jDPCfb86zjK2zUDHNc4YE
xswsFNLbHBnOcFkZBUVgtj2zUW8COdeP9QFBDAFRH4Gl4FDmvPE8GfZl/49pz8YT
aP4dHgevcHTHqzTQJooeOv/Ofnh5ftaUnpnRUqV1CRlsNQNi1cNZbmyoFZGjN4mF
VZfwV4BWlYH0ns6br3NQA9TJ8KYOVVmpUgL7bUk2jqGymLTslGfhg4uozjAIEIo9
IxWTg2/g6bi9DKIarqb/IyGmCQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQADHFu7
Avp6UWOLiJigyyv/l7PUrLF7mAhz+t5Z5PW9J13tGR3wwwA4qH37qjOW5Rt44gYe
NRTn42VMWh/1BmTe2R5noSjPGw3HGLZRGAAKbZI8tr9/E5aLvE1YOGk0UHDqd7Zs
u3a6Y0PdKSgDiYnaThcIc7qbpeR0/pmli4B5+B7C+nGr7/0bc3R4yvzZDUa1NuLM
9E50jIxGvr7Z46IZ5s3IDLcB/Fkx2aaWgzFTfhbrK0S6R0CxsjYF7EUP7KPY2NJQ
U5nHMq8aoFz/s7LgalfLSrWGy4VkwJhaPixQ9BfhRgbJfpXVG5q1IJ4AqyMC+wSD
JO9LzZyikrRx435W
-----END CERTIFICATE-----

Client.crt:

-----BEGIN CERTIFICATE-----
MIID+DCCAuACAws5BjANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMCVUsxGDAW
BgNVBAgTD0dsb3VjZXN0ZXJzaGlyZTETMBEGA1UEBxMKR2xvdWNlc3RlcjESMBAG
A1UEAxMJbG9jYWxob3N0MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMSQw
IgYDVQQLExtBdXRvbWF0ZWQgVGVzdGluZyBBdXRob3JpdHkxKTAnBgkqhkiG9w0B
CQEWGnNlY3VyaXR5QHR3aXN0ZWRtYXRyaXguY29tMCAXDTE0MDkxODEyNTIzNFoY
DzIxMTQwODI1MTI1MjM0WjCBvzELMAkGA1UEBhMCVUsxGDAWBgNVBAgTD0dsb3Vj
ZXN0ZXJzaGlyZTETMBEGA1UEBxMKR2xvdWNlc3RlcjESMBAGA1UEAxMJbG9jYWxo
b3N0MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMSQwIgYDVQQLExtBdXRv
bWF0ZWQgVGVzdGluZyBBdXRob3JpdHkxKTAnBgkqhkiG9w0BCQEWGnNlY3VyaXR5
QHR3aXN0ZWRtYXRyaXguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAw4L4HpmBwJh5JI5Ia8IVgAXwDBKwEG2nZMEYEytmjeKIdgRrApNa+JzKmZhz
EhsK1zR2fz/WBqHZo8/CEYe5sMr2YqTnSyaxz+Oiqh4jDPCfb86zjK2zUDHNc4YE
xswsFNLbHBnOcFkZBUVgtj2zUW8COdeP9QFBDAFRH4Gl4FDmvPE8GfZl/49pz8YT
aP4dHgevcHTHqzTQJooeOv/Ofnh5ftaUnpnRUqV1CRlsNQNi1cNZbmyoFZGjN4mF
VZfwV4BWlYH0ns6br3NQA9TJ8KYOVVmpUgL7bUk2jqGymLTslGfhg4uozjAIEIo9
IxWTg2/g6bi9DKIarqb/IyGmCQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQADHFu7
Avp6UWOLiJigyyv/l7PUrLF7mAhz+t5Z5PW9J13tGR3wwwA4qH37qjOW5Rt44gYe
NRTn42VMWh/1BmTe2R5noSjPGw3HGLZRGAAKbZI8tr9/E5aLvE1YOGk0UHDqd7Zs
u3a6Y0PdKSgDiYnaThcIc7qbpeR0/pmli4B5+B7C+nGr7/0bc3R4yvzZDUa1NuLM
9E50jIxGvr7Z46IZ5s3IDLcB/Fkx2aaWgzFTfhbrK0S6R0CxsjYF7EUP7KPY2NJQ
U5nHMq8aoFz/s7LgalfLSrWGy4VkwJhaPixQ9BfhRgbJfpXVG5q1IJ4AqyMC+wSD
JO9LzZyikrRx435W
-----END CERTIFICATE-----

Answer 1

A side of a TLS connection can use a private key and a certificate to prove its identity to the other side during the TLS handshake. Commonly, the server side does this and the client side does not. However, it's also possible for the client to use its own private key and certificate to prove its identity to the server (and it's also possible for neither side to bother proving its identity to the other, though this is even less common than client-side identification).

The private key is, as the name suggests, kept private. The basic point of the certificate is to prove that you possess a certain private key. Therefore if you share the private key with other people, your certificates become less useful because all any of you can prove is that you have that same private key - leaving the peer you're proving this to uncertain about which of you it is actually talking to.

The public key isn't commonly used by itself as part of a TLS connection. This is because it's just a big random number and it's inconvenient to identify entities using just big random numbers. So instead there is a certificate which is a lot of human-friendly metadata combined with the public key and then signed by a private key (usually not your private key, instead usually by a certificate authority's private key - but when you have a "self-signed certificate", as the name suggests, your certificate is signed by your own private key).

You successfully extracted the public key from the PEM using the command openssl x509 -pubkey -noout -in server.pem > public.key but this isn't particularly useful for running a TLS server.

Instead you want the certificate:

openssl x509 -in server.pem > cert.pem

This step is not strictly not necessary. The APIs for loading a certificate from a PEM will search through a big pile of other garbage until finding the certificate and then load it.

However it does make sense to split the certificate out in this case in order to supply it and only it to the client. The echoclient_ssl.py you linked to wants the certificate to use as the "trust root". It wants to be able to establish a trust chain (basically, a chain of signatures going from the certificate the server presented back to an issuing entity, from that issuing entities certificate back to its issuing entity, and so on until it reaches a certificate in the trust root). In this case, if you use the exact same certificate on the server and in the client's trust root, the chain is very short (the certificate is signed by its own private key, so the chain only has one link).

Separating out the certificate and giving the client only that simulates real world usage where the client wouldn't actually have access to the server's private key (which makes sense for the reasons discussed above).