Python WWS库需要整个证书链来验证服务器 [英] Python WWS Library requires entire certificate chain to verify server

问题描述

我正在使用ssl.py连接到Web服务器，我想验证服务器证书.

I am using ssl.py to connect to a webserver and I would like to verify the server certificate.

我有一个ROOT_CA，它签署了一个INTERMEDIATE_CA，最后签署了SERVER_CERTIFICATE.

I have a ROOT_CA which signs an INTERMEDIATE_CA and this finally signs the SERVER_CERTIFICATE.

我只想向客户端提供INTERMEDIATE_CA，以便它可以验证其签名的所有证书.但是，看来我需要提供整个证书链ROOT_CA-> INTERMEDIATE_CA才能使验证正常进行.

I would like to provide the client only the INTERMEDIATE_CA so it can verify all certificates signed by it. However, it appears that I need to provide the entire certificate chain ROOT_CA->INTERMEDIATE_CA in order for the verification to work.

对此有何见解?

这是我正在使用的脚本:

Here is the script I am using:

import asyncio
import pathlib
import ssl
import websockets

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_REQUIRED 
server_cert = pathlib.Path(__file__).with_name("intermediate_ca_server.ca-chain.cert.pem")
ssl_context.load_verify_locations(server_cert)

async def hello():
     uri = "wss://<url>"
     async with websockets.connect(
         uri, ssl=ssl_context
     ) as websocket:
        await websocket.send('test data')
        greeting = await websocket.recv()
        print(f"< {greeting}")

推荐答案

默认情况下，OpenSSL需要完整的证书链，包括根证书.使用OpenSSL 1.0.2，添加了新的验证标志 X509_V_FLAG_PARTIAL_CHAIN ，即使该证书不是根证书(即，主题和颁发者不同)，也可以使信任链以受信任证书结尾.

By default OpenSSL needs the full certificate chain including the root certificate. With OpenSSL 1.0.2 a new verification flag X509_V_FLAG_PARTIAL_CHAIN was added which makes it possible to let the trust chain end in a trusted certificate even if this certificate is not a root certificate (i.e. subject and issuer differ).

似乎Python尚未为此定义一个常量，因此需要使用整数表示形式:

It looks like Python does not have yet a constant defined for this so one needs to use the integer representation:

ctx = ssl.create_default_context()
ctx.load_verify_locations(cafile='subca.pem')  # contains only sub-CA
ctx.verify_flags |= 0x80000           # set X509_V_FLAG_PARTIAL_CHAIN
ctx.ssl_wrap(...)

这篇关于Python WWS库需要整个证书链来验证服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！