使用python验证SSL中的对等点 [英] Verifying peer in SSL using python
问题描述
我试图找出如何通过 Python 中的服务器验证自签名证书.我在谷歌找不到太多数据.我还想确保服务器 url
提前感谢您的见解.
从评论到我的第一个回复,我看到人们普遍误解了验证证书意味着什么".我会尽量在这里写一个简短的解释,以消除一些错觉.
证书验证是关于根据某些加密签名检查证书元数据上的签名(即主题、有效期、扩展名等).
如果您拥有的只是一个自签名证书,则您无法将其与元数据完全相同但密钥不同的另一个自签名证书区分开来,除非您事先知道密钥证书的密钥.并且不要忘记,您建立了所有这些验证程序,以消除拥有此预先共享知识的要求.通过常规证书验证,您无法完全消除对某些预共享知识的要求,即一组第三方证书,也称为CA 证书".由于这些知识是预先共享的,因此这些证书可能是自签名的,但请记住,您不是从验证过程中而是从一些外部知识中收到有关这些证书有效性的信息.
当您在对等方之间分发一组受信任的CA 证书"时,您可以使用这些证书对其他证书进行签名,并根据受信任 CA 的预共享知识检查签名.
但是,如果除了证书本身之外,您没有关于自签名证书的其他知识,则不能假设对该特定证书的信任,因为它可能由某些邪恶的黑客以及您值得信赖的服务器颁发.
请获取一些关于中间人攻击的知识,公钥基础设施和公共密钥密码术 在实施任何类型的证书验证过程之前.
请理解,即使不考虑一般的互联网安全,对自签名证书的盲目验证也无法保护您免受自己网络中的聪明黑客的攻击.</p>
编辑:问题作者澄清说,他实际上是在寻找如何使用 M2Crypto 绑定验证证书上的 verisign(或其他 CA)签名.这里有两个例子:
from M2Crypto import X509, SSL# 使用给定的 CA 证书手动验证证书上的签名:ca = X509.load_cert('/path/to/ca_cert.pem')cert = X509.load_cert('certificate_to_validate.pem')打印验证结果:",cert.verify(ca.get_pubkey())# 将给定的 CA 证书添加到 SSL 上下文以进行验证ctx = SSL.Context()# 从文件中加载证书ctx.load_verify_locations(cafile='/path/to/ca_cert.pem')# 或使用 CA 目录中的所有证书ctx.load_verify_locations(capath='/path/to/ca/dir')# 或者您可以同时指定两个选项.如果您要使用具有许多 CA 证书的目录(这通常更方便),您必须将每个证书重命名为 openssl x509 -noout -hash -in cert.pem 获得).
I was trying to find out how I can go about verifying a self-signed certificate by a server in python. I could not find much data in google. I also want to make sure that the server url
Thanks in advance for any insights.
From the comments to my first reply I see that there is a general misunderstanding what does 'verify a certificate mean'. I will try to write a brief explanation here to eliminate some of the illusions.
Certificate verification is about checking a signature on the certificate metadata (i.e. subject, validity period, extensions and such) against some cryptographic signature.
If all you have for the validation is a self-signed certificate you cannot distinguish it from another self-signed certificate with exactly the same metadata, but the different key, unless you know the key certificate's key in advance. And don't forget that you establish all this verification procedure to remove the requirement to have this pre-shared knowledge. With regular certificate verification you cannot completely remove the requirement to have some pre-shared knowlege, which is a set of third-party certificates, also known as 'CA certificates'. Since this knowledge is pre-shared, those certificates may be self-signed, but remember that you have received information about validity of those certificates not from the verification process, but from some outer knowledge.
When you have a set of trusted 'CA certificates' distributed between peers, you can use those to sign other certificates and check signatures against that pre-shared knowledge of trusted CAs.
But if you have no additional knowledge about a self-signed certificate except the certificate itself you can make no assumptions about trust to this particular certificate, because it can be issued by some evil hacker as well as by you trustworthy server.
Please, acquire some knowledge about Man in the middle attack, Public key infrastructure and Public key cryptography in general before implementing any kind of certificate verification processes.
Please understand that blind verification of a self-signed certificate will not protect you even from a clever hacker in your own network, not even considering internet security in general.
Edit: question author clarified that he was actually looking for how to verify a verisign (or other CA) signature on a certificate using M2Crypto bindings. Here are two examples:
from M2Crypto import X509, SSL
# manual validation of a signature on a certificate using a given CA cert:
ca = X509.load_cert('/path/to/ca_cert.pem')
cert = X509.load_cert('certificate_to_validate.pem')
print "Verification results:", cert.verify(ca.get_pubkey())
# adding a given CA cert to the SSL Context for verification
ctx = SSL.Context()
# load a certificate from file
ctx.load_verify_locations(cafile='/path/to/ca_cert.pem')
# or use all certificate in a CA directory
ctx.load_verify_locations(capath='/path/to/ca/dir')
# or you can specify both options at the same time.
If you are going to use a directory with many CA certificates (which is often more convenient) you must rename each certificate to <hash>.0 where <hash> is the hash of the certificate subject (obtained with openssl x509 -noout -hash -in cert.pem).
这篇关于使用python验证SSL中的对等点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
