tls中客户端的证书 [英] certificates for client side in tls

问题描述

我已经坚持了好几天，仍然无法解决.我只想在python中建立一个简单的TLS c/s通信.对于服务器，我使用EC2，对于客户端，我使用自己的笔记本电脑.我设置并测试了正常的套接字通信，一切正常.

I'm stuck with this for several days and could not figure it out still. I just want to build a simple TLS c/s communication in python. For server I use EC2, client I use my own laptop. I setup and test normal socket communication and everything works fine.

当我从官方文档尝试本教程时，我会运行陷入问题.对于以下客户端代码:

When I try this tutorial from the official doc, I run into problem. For the following client code:

# require a certificate from the server
ssl_sock = ssl.wrap_socket(s,
                           ca_certs="/etc/ca_certs_file",
                           cert_reqs=ssl.CERT_REQUIRED)

据我所知，/etc/ca_certs_file部分应该是来自CA的一些证书.我很困惑我应该在哪里寻找它们.我实际上在EC2服务器上的/etc/ssl/certs中找到了一些.pem文件，但是在客户端(我的笔记本电脑)上却找不到任何文件.

As far as I know the part /etc/ca_certs_file should be some certificates from CAs. I am confused where should I look for them. I actually find some .pem files in /etc/ssl/certs on EC2 server but nothing on the client, my laptop.

我还尝试根据此生成用户证书在openssl 教程中，我按照以下步骤操作，为服务器生成cakey.pem，cacert.pem，为客户端生成userkey.pem，usercert-req.pem，它们都位于EC2服务器的同一目录中.当我执行openssl ca -in usercert-req.pem -out usercert.pem时，它输出错误:

I also tried to generate a user certificate according to this tutorial on openssl, I followed the steps, generating cakey.pem, cacert.pem for the server, userkey.pem, usercert-req.pem for the client, all in a same directory in my EC2 server. When I execute openssl ca -in usercert-req.pem -out usercert.pem, it outputs error:

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
unable to load certificate
140420412405408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

那么实际上应该如何生成此证书文件?在服务器端生成，然后等待客户端通过无线请求它们，还是在客户端生成，或者从第三方获得并直接在客户端使用?

So actually how should this cert file get generated? Generate at server side, then wait for client to request them over the air, or generate at client side, or obtain from 3rd party and directly use on client side?

有人可以提供任何指导吗?感谢您的帮助.

Could anyone give any guidance? Any help is appreciated.

推荐答案

这将创建一个自签名证书对，私钥将在同一文件中:

This will create a self signed certificate pair, the private key will be in the same file:

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem

然后从服务器端的python中获取:

And then from python on the server side:

new_client_socket, address = server_socket.accept()
secured_client_socket = ssl.wrap_socket(new_client_socket,
                                        server_side=True,
                                        certfile='cert.pem',
                                        keyfile='cert.pem',
                                        ssl_version=ssl.PROTOCOL_TLSv1)

以及客户端应用程序:

unsecured_client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket = ssl.wrap_socket(unsecured_client_socket,
                                ca_certs='cert.pem',
                                cert_reqs=ssl.CERT_REQUIRED,
                                ssl_version=ssl.PROTOCOL_TLSv1)

这篇关于tls中客户端的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！