使用python使用自签名证书的ssl [英] ssl with self signed certificate using python

查看:276
本文介绍了使用python使用自签名证书的ssl的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使用我的自签名证书在 python 中构建一个简单的服务器.我使用 makecert 创建了 .cer、.pfx、.pvk 文件.

I am trying to build a simple server in python using my self signed certificate. I created .cer, .pfx, .pvk files using makecert.

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile="ServerSSL.cer")

Traceback (most recent call last):
  File "ssl_server.py", line 4, in <module>
    context.load_cert_chain(certfile="ServerSSL.cer")
ssl.SSLError: [SSL] PEM lib (_ssl.c:2580)

我做错了什么?我还尝试通过更改后缀将我的 cer 文件转换为 pem,但我遇到了同样的错误.

What I did wrong? I also tried to convert my cer file to pem by changing the suffix and I got the same error.

推荐答案

当你查看_ssl.c:2580的原始来源时可以看到SSL_CTX_use_certificate_chain_file 失败.由于 pw_info.errorerrno 都没有设置,所以不容易找到原因.该问题可能是由 crt 文件引起的.在文本编辑器中打开它并检查文件是否完全符合它应有的外观 - 还要验证换行符.如果它们不完全匹配,函数调用将失败.

When you take a look at the original source of _ssl.c:2580 you can see that SSL_CTX_use_certificate_chain_file failed. Since neither pw_info.error nor errno is set it's not easy to find the cause. The problem might be caused by the crt file. Open it in a text-editor and check if the file looks exactly as it should look like - also verify new-lines. If they don't match EXACTLY the function call will fail.

2567:    PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
2568:    r = SSL_CTX_use_certificate_chain_file(self->ctx, certfile_bytes);
2569:    PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
2570:    if (r != 1) {
2571:        if (pw_info.error) {
2572:            ERR_clear_error();
2573:            /* the password callback has already set the error information */
2574:        }
2575:        else if (errno != 0) {
2576:            ERR_clear_error();
2577:            PyErr_SetFromErrno(PyExc_IOError);
2578:        }
2579:        else {
2580:            _setSSLError(NULL, 0, __FILE__, __LINE__);
2581:        }
2582:        goto error;

文档 还说:

证书必须采用 PEM 格式,并且必须从主题的证书(实际客户端或服务器证书)开始排序,然后是中间 CA 证书(如果适用),最后是最高级别(根)CA.

The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.

这篇关于使用python使用自签名证书的ssl的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆