为什么赢了';这段Python代码不能通过SSL连接吗?
已更新:问题底部的固定/工作代码。重新实现为使用为什么赢了';这段Python代码不能通过SSL连接吗?,python,sockets,ssl,Python,Sockets,Ssl,已更新:问题底部的固定/工作代码。重新实现为使用wrap_socket()而不是SSL.Context()。协商密码似乎不受ssl协议的影响 我有一个XML服务,它监听端口8388。该服务内置了自己的CA,并将为在其管理界面上配置的任何客户端发出P12文件(我需要在连接中包含CA证书) 我已经配置了客户端并下载了P12文件;还从P12导出了PEM文件(为了便于调试),并为服务器CA导出了PEM文件(这是一个Java密钥库) 如果我使用openssl s_client并将客户端证书/密钥和CA文件
wrap_socket()SSL.Context()openssl s_client# openssl s_client -connect srv.domain.net:8388 -CAfile server_ca.pem -cert client_cert.pem -key client_key.pem
CONNECTED(00000003)
depth=1 ... emailAddress = ca@SERVERsystems.com
verify return:1
depth=0 ...CN = srv.domain.net
verify return:1
---
Certificate chain
0 s:/emailAddress=help@mydomain.net...CN=srv.domain.net
i:/C=US/...emailAddress=ca@SERVERsystems.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJRDCCByygAwIBAgIGAVGIopaoMA0GCSqGSIb3DQEBDQUAMIG...rV
-----END CERTIFICATE-----
subject=/emailAddress=help@mydomain.net...CN=srv.domain.net
issuer=/C=US/...emailAddress=ca@SERVERsystems.com
---
Acceptable client certificate CA names
/C=US/...emailAddress=ca@SERVERsystems.com
/.../CN=srv.domain.net
---
SSL handshake has read 3369 bytes and written 5705 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: ...DF6572FA00D62D83CF0B1A82F
Session-ID-ctx:
Master-Key: ...7F685C0B163A7739C271E9722FC0554108175C4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1461337153
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import OpenSSL
from OpenSSL import *
import sys
serverName = sys.argv[1]
print "Using server : " + serverName
ctx = SSL.Context(SSL.SSLv3_METHOD)
ctx.use_privatekey_file('client_key.pem')
ctx.use_certificate_file('client_cert.pem')
ctx.load_verify_locations(cafile='server_ca.pem')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((serverName, 8388))
sslSocket = socket.ssl(s)
print repr(sslSocket.server())
print repr(sslSocket.issuer())
print ("writing socket..")
sslSocket.write('<transaction><data>14</data></transaction>\n')
s.close()
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import ssl
import sys
import os
serverName = sys.argv[1]
print "Using server : " + serverName
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# ssl.PROTOCOL_xxx does not seem to affect negotiated cipher??
wrapper = ssl.wrap_socket(s,
ca_certs = "server_ca.pem",
certfile = "client_cert.pem",
keyfile = "client_key.pem",
cert_reqs=ssl.CERT_REQUIRED,
ssl_version=ssl.PROTOCOL_TLSv1)
wrapper.connect((serverName, 8388))
# some info on the connnection/cipher in use
print repr(wrapper.getpeername())
print repr(wrapper.cipher())
print repr(wrapper.getpeercert())
# send server command
print ("writing socket..")
wrapper.send ("<transaction><data>14</data></transaction>\n")
# read server reply
print "server reply: " + wrapper.recv(4096)
wrapper.close()
s.close()
#/usr/bin/python
#-*-编码:utf-8-*-
导入套接字
导入ssl
导入系统
导入操作系统
serverName=sys.argv[1]
打印“使用服务器:”+serverName
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#ssl.PROTOCOL_xxx似乎不会影响协商密码??
wrapper=ssl.wrapp_套接字,
ca\u certs=“server\u ca.pem”,
certfile=“client\u cert.pem”,
keyfile=“client\u key.pem”,
证书要求=ssl.cert要求,
ssl_version=ssl.PROTOCOL_TLSv1)
wrapper.connect((服务器名,8388))
#有关正在使用的连接/密码的一些信息
打印报告(wrapper.getpeername())
打印报告(wrapper.cipher())
打印报告(wrapper.getpeercert())
#发送服务器命令
打印(“书写插座…”
wrapper.send(“14\n”)
#读取服务器应答
打印“服务器回复:”+wrapper.recv(4096)
wrapper.close()
s、 关闭()
使用客户端证书的一种更简单的方法是使用
ssl.wrap_socketcertfilekeyfilectx=SSL.Context(SSL.SSLv3_方法)sslv3警报错误证书。我很困惑。。服务器是否规定了这一点?据我所知,服务器不希望接受您的客户端证书。因此,至少您现在知道,此错误不是特定于SSL/TLS版本的。从我看到的情况来看,您构建了上下文,但您没有将此上下文用于SSL连接。这样就不会使用客户端证书,这就是为什么会收到此错误消息。为什么不简单地使用ssl.wrap_socketssl.wrap\u socketApr 22 10:39:56 srv.domain.net ERROR server.auth [Thread-183,run:233] Couldn't validate the client certificate. Verify the validity and dates of the client cert.
Apr 22 10:39:56 srv.domain.net javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Apr 22 10:39:56 srv.domain.net at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
Apr 22 10:39:56 srv.domain.net at com.xml.server.auth.run(auth.java:226)
Apr 22 10:39:56 srv.domain.net at java.lang.Thread.run(Thread.java:745)
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import ssl
import sys
import os
serverName = sys.argv[1]
print "Using server : " + serverName
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# ssl.PROTOCOL_xxx does not seem to affect negotiated cipher??
wrapper = ssl.wrap_socket(s,
ca_certs = "server_ca.pem",
certfile = "client_cert.pem",
keyfile = "client_key.pem",
cert_reqs=ssl.CERT_REQUIRED,
ssl_version=ssl.PROTOCOL_TLSv1)
wrapper.connect((serverName, 8388))
# some info on the connnection/cipher in use
print repr(wrapper.getpeername())
print repr(wrapper.cipher())
print repr(wrapper.getpeercert())
# send server command
print ("writing socket..")
wrapper.send ("<transaction><data>14</data></transaction>\n")
# read server reply
print "server reply: " + wrapper.recv(4096)
wrapper.close()
s.close()
ctx.use_privatekey_file('client_key.pem')
ctx.use_certificate_file('client_cert.pem')
...
sslSocket = socket.ssl(s)