M2Crypto的set_client_CA_list_from_file()和load_verify_info()有什么区别?什么时候使用它们? [英] What is the difference between M2Crypto's set_client_CA_list_from_file() and load_verify_info() and when would you use each?

问题描述

M2Crypto库在其 SSL.Context对象，但是文档非常不清楚何时使用某些功能以及为什么使用.实际上，几乎所有文档的文档都是将CA证书加载到上下文中"，因此它们似乎都可以做相同的事情.

The M2Crypto library has a few CA-related functions on its SSL.Context object, but the documentation is very unclear as to when you would use certain functions and why. In fact, the docs for almost all of them are, "Load CA certs into the context," so it seems possible that they all do the same thing.

有几个 <一个同时使用set_client_CA_list_from_file()和load_verify_info()的href ="http://www.cs.technion.ac.il/~danken/SecureXMLRPCServer.py" rel ="nofollow noreferrer">示例还有其他类似的功能，例如load_client_ca()和load_verify_locations().

There are several examples that use both set_client_CA_list_from_file() and load_verify_info(), but there are also other similar functions like load_client_ca() and load_verify_locations().

我正在写客户端和服务器.我应该使用什么功能，为什么?他们具体是做什么的?

I am writing both client and server pieces. What functions should I use and why? What specifically do they do?

仔细阅读我所看到的代码:

Looking through the code I see:

# Deprecated.
load_client_CA = load_client_ca = set_client_CA_list_from_file

和

# Deprecated.
load_verify_info = load_verify_locations

所以有一点帮助.这使我们归结为两个功能:set_client_CA_list_from_file()和load_verify_locations().但是我还是不太清楚两者之间的区别.

So that helps a little. This brings us down to two functions: set_client_CA_list_from_file() and load_verify_locations(). But I still can't quite tell the difference between the two.

推荐答案

如果您的服务器要求客户端出示证书，则可以通过指定调用

If your server requires the client to present a certificate, it can restrict who are the valid issuers of the client certificates by specifying the issuers calling set_client_CA_list_from_file. This is actually pretty rare.

客户端通过调用 load_verify_locations .几乎所有客户都应该这样做.

The client specifies who are the valid server certificate issuers by calling load_verify_locations. Almost all clients should do this.

客户端和服务器均可调用 load_cert 来设置自己的证书.服务器几乎应该总是这样做.客户端可能仅在服务器要求客户端出示证书时才应该这样做.

Both client and server can call load_cert to set their own certificate. Servers should almost always do this. Clients should probably do this only if the server requires the client to present a certificate.

我建议您选择John Viega，Matt Messier和Pravir Chandra的 Network Security with OpenSSL 的副本，ISBN 059600270X，该副本应更详细地阐明这些问题.

I recommend you pick a copy of Network Security with OpenSSL by John Viega, Matt Messier and Pravir Chandra, ISBN 059600270X, which should clarify these issues in more detail.

这篇关于M2Crypto的set_client_CA_list_from_file()和load_verify_info()有什么区别?什么时候使用它们?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！