Python SSL 套接字：接受自签名证书-解网

问：

我正在使用 pythons ssl 套接字模块构建一个简单的客户端-服务器应用程序。运行此处提供的示例代码时，客户端失败，返回证书验证失败，因为自签名证书。我为自签名根 CA 证书提供了 . 在服务器端，证书文件还包含服务器证书以及此处按正确顺序指定的 CA 自签名证书（第一个服务器证书、第二个 CA 证书）。在修复 python 之外的错误的方法中，我还将我的自签名根 CA 证书添加到受信任的 CA 证书的 os 列表中。context.load_verify_locations("/home/vincent/work/CA/2/AllIO_Dev_CA_2.crt")

我需要做些什么才能允许使用自签名证书进行连接？由于这仅用于概念验证，因此目前无法购买受信任的证书。

server.py

import socket, ssl

def deal_with_client(connstream):
    data = connstream.recv(1024)
    # empty data means the client is finished with us
    while data:
        if not do_something(connstream, data):
            # we'll assume do_something returns False
            # when we're finished with client
            break
        data = connstream.recv(1024)
    # finished with client

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile="/home/vincent/work/CA/2/Dev_Server_2_Chain.crt",
                        keyfile="/home/vincent/work/CA/2/Dev_Server_2.pem")

bindsocket = socket.socket()
bindsocket.bind(('vm-kubuntu-23', 10023))
bindsocket.listen(5)
while True:
    newsocket, fromaddr = bindsocket.accept()
    connstream = context.wrap_socket(newsocket, server_side=True)
    try:
        deal_with_client(connstream)
    finally:
        connstream.shutdown(socket.SHUT_RDWR)
        connstream.close()

client.py

import socket, ssl
import yaml

context = ssl.create_default_context()
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.load_verify_locations("/home/vincent/work/CA/2/Dev_CA_2.crt")
print(context.get_ca_certs())
conn = context.wrap_socket(socket.socket(socket.AF_INET),
                           server_hostname="vm-kubuntu-23")
conn.connect(("vm-kubuntu-23", 10023))
cert = conn.getpeercert()
pprint.pprint(cert)
conn.sendall("Test Message 101r\n")

python3 client.py 
[{'subject': ((('commonName', 'vm-kubuntu-23'),),), 'issuer': ((('commonName', 'vm-kubuntu-23'),),), 'version': 3, 'serialNumber': '3C337F71CFD1EA6D', 'notBefore': 'Nov  3 18:27:00 2023 GMT', 'notAfter': 'Nov  3 18:27:00 2033 GMT'}]
Traceback (most recent call last):
  File "/home/vincent/work/switchFrontpanel/application/networkDemo/client2.py", line 12, in <module>
    conn.connect(("vm-kubuntu-23", 10023))
  File "/usr/lib/python3.11/ssl.py", line 1379, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python3.11/ssl.py", line 1370, in _real_connect
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1002)

Dev_CA_2.crt

Dev_Server_2_Chain.crt

备注：由于这些证书纯粹用于测试目的，并且之后将被处理掉，我不介意分享它们。

python 接字 ssls 自签名

Python SSL 套接字：接受自签名证书

Python SSL socket: Accept self-signed certificates

评论

评论