zoukankan      html  css  js  c++  java
  • https双向认证(python)

    SSL Client Authentication over HTTPS (Python recipe)

    A 16-line python application that demonstrates SSL client authentication over HTTPS.
    We also explain the basics of how to set up Apache to require SSL client authentication. This assumes at least Python-2.2 compiled with SSL support, and Apache with mod_ssl

    On the server, I'm initializing the SSLContext with my private key, the certfile provided by the CA that I'm loading from the caroot.crt file. Now, when I initialize this with something like node, everything works fine (for example: Setting up SSL with node.js). My intentions were to set everything up the same way. My assumption is that during the handshake, the server is providing the client with a CA, just like my node server would. It seems like that's not the case. What am I doing wrong?

    If ssl.CERT_REQUIRED isn't used, everything works perfectly, but I'm wanting to validate that the endpoint (server) is who they say they are.

    Server

    import socket
    import ssl
    
    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
    context.load_cert_chain(certfile='./path/to/certfile.crt', 
        keyfile='./path/to/keyfile.pem')
    context.load_verify_locations('./path/to/caroot.crt')
    context.set_default_verify_paths()
    
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.bind(('', 23000))
    server_socket.listen(socket.SOMAXCONN)
    
    def handle_client(ssl_socket):
        data = ssl_socket.read()
        while data:
            print("%s" % (str(data)))
            data = ssl_socket.read()
    
    while True:
        client_socket, addr = server_socket.accept()
        ssl_client_socket = context.wrap_socket(client_socket, server_side=True)
        handle_client(ssl_client_socket)
    

    Client

    import socket
    import ssl
    
    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
    # I'm assuming this is not necessary, but I'd like to load the system provided CAs
    context.set_default_verify_paths()
    # Require CA validation to prevent MITM.
    context.verify_mode = ssl.CERT_REQUIRED
    
    client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ssl_client = context.wrap_socket(client_socket)
    ssl_client.connect(('', 23000))
    ssl_client.send(bytes('hello, world!', 'UTF-8'))
    

    As it turns out, my CA provided 3 different crt files. My solution was to append them in a specific order to generate the correct CA chain that was being passed to context.load_verify_locations.

  • 相关阅读:
    java时间戳与Date相互转换、日期格式化、给日期加上指定时长、判断两时间点是否为同一天
    notepad++去掉红色波浪线
    发生异常Address already in use: bind
    SecureCRT背景颜色
    linux查看实时日志命令
    idel上传代码到github时遇到的Push rejected: Push to origin/master was rejected
    git解决error: The following untracked working tree files would be overwritten by checkout
    使用SecureCRT工具上传、下载文件的两种方法
    Windows下Zookeeper启动zkServer.cmd闪退问题的解决方案
    Maven的Snapshot版本与Release版本
  • 原文地址:https://www.cnblogs.com/sixloop/p/8963351.html
Copyright © 2011-2022 走看看