使用python使用自签名证书的ssl [英] ssl with self signed certificate using python
问题描述
我正在尝试使用我的自签名证书在 python 中构建一个简单的服务器.我使用 makecert 创建了 .cer、.pfx、.pvk 文件.
I am trying to build a simple server in python using my self signed certificate. I created .cer, .pfx, .pvk files using makecert.
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile="ServerSSL.cer")
Traceback (most recent call last):
File "ssl_server.py", line 4, in <module>
context.load_cert_chain(certfile="ServerSSL.cer")
ssl.SSLError: [SSL] PEM lib (_ssl.c:2580)
我做错了什么?我还尝试通过更改后缀将我的 cer 文件转换为 pem,但我遇到了同样的错误.
What I did wrong? I also tried to convert my cer file to pem by changing the suffix and I got the same error.
推荐答案
当你查看_ssl.c:2580
的原始来源时可以看到SSL_CTX_use_certificate_chain_file
失败.由于 pw_info.error
和 errno
都没有设置,所以不容易找到原因.该问题可能是由 crt
文件引起的.在文本编辑器中打开它并检查文件是否完全符合它应有的外观 - 还要验证换行符.如果它们不完全匹配,函数调用将失败.
When you take a look at the original source of _ssl.c:2580
you can see that SSL_CTX_use_certificate_chain_file
failed. Since neither pw_info.error
nor errno
is set it's not easy to find the cause. The problem might be caused by the crt
file. Open it in a text-editor and check if the file looks exactly as it should look like - also verify new-lines. If they don't match EXACTLY the function call will fail.
2567: PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
2568: r = SSL_CTX_use_certificate_chain_file(self->ctx, certfile_bytes);
2569: PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
2570: if (r != 1) {
2571: if (pw_info.error) {
2572: ERR_clear_error();
2573: /* the password callback has already set the error information */
2574: }
2575: else if (errno != 0) {
2576: ERR_clear_error();
2577: PyErr_SetFromErrno(PyExc_IOError);
2578: }
2579: else {
2580: _setSSLError(NULL, 0, __FILE__, __LINE__);
2581: }
2582: goto error;
文档 还说:
证书必须采用 PEM 格式,并且必须从主题的证书(实际客户端或服务器证书)开始排序,然后是中间 CA 证书(如果适用),最后是最高级别(根)CA.
The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.
这篇关于使用python使用自签名证书的ssl的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!