文档中的 Python SSL 示例给出了“对等方重置连接"；错误 [英] Python SSL example from docs gives "Connection reset by peer" error

问题描述

我正在尝试在此处运行 ssl 模块文档中提供的示例代码:http://docs.python.org/2/library/ssl.html#client-side-operation

I'm trying to run the example code provided in the documentation for the ssl module here: http://docs.python.org/2/library/ssl.html#client-side-operation

服务器端代码与文档中给出的示例类似，它抛出此异常:

The server-side code is similar to the example given in the documentation, and it throws this exception:

Traceback (most recent call last):
  File "serve.py", line 16, in <module>
    ssl_version=ssl.PROTOCOL_TLSv1)
  File "/usr/lib/python2.7/ssl.py", line 381, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 143, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
socket.error: [Errno 104] Connection reset by peer

而客户端代码，也与文档中的例子类似，抛出了这个异常:

And the client-side code, also similar to the example in the documentation, throws this exception:

Traceback (most recent call last):
  File "client.py", line 8, in <module>
    ssl_sock.connect((host, port))
  File "/usr/lib/python2.7/ssl.py", line 331, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python2.7/ssl.py", line 324, in _real_connect
    raise e
socket.error: [Errno 104] Connection reset by peer

据我所知，我已经非常仔细地复制了文档中提供的示例，所以我不知道问题是什么.我所有的 TCP、UDP 和 ICMP 端口都是开放的，所以我认为这不是防火墙问题.

As far as I can see, I've copied the examples provided in the documentation quite closely, so I don't know what the problem is. All of my TCP, UDP and ICMP ports are open, so I don't think it is a firewall issue.

_{(为了简洁起见，我编辑了这个问题以删减我的代码，因为它确实与链接中提供的示例非常相似.如果您想查看我的代码，请查看此问题的历史记录.)}

推荐答案

我发现了问题.我使用如下命令生成了私钥和证书:

I found the problem. I generated the private key and the certificate using command like this:

$ openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem
Generating a 1024 bit RSA private key
# ...
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MyState
Locality Name (eg, city) []:Some City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Organization, Inc.
Organizational Unit Name (eg, section) []:My Group
Common Name (eg, YOUR name) []:myserver.mygroup.myorganization.com
Email Address []:ops@myserver.mygroup.myorganization.com
$

关键是输入的common name"必须和服务器的域名相匹配.我以为当cacerts是ssl.CERT_NONE，默认情况下是 wrap_socket，这不会被检查，但我错了.它总是被检查.一晚上的睡眠，这是我想验证的第一件事！

The crucial part is that the "common name" entered must match the domain name of the server. I thought that when cacerts is ssl.CERT_NONE, which it is by default for wrap_socket, this wouldn't be checked, but I was wrong. It's always checked. One night's sleep and it's the first thing I thought of to verify!

希望这对收到此神秘错误消息的其他人有用.

Hopefully this will be useful to someone else who gets this cryptic error message.

如果这不能解决问题，您可能正在遭受深度数据包检查.当我在大学网络上时再次遇到此错误，但在任何其他网络上都没有，而且我相当确定这是由于深度数据包检查造成的.

If this doesn't solve it, you might be suffering from deep packet inspection. I got this error again when I was on a university network, but not on any other network, and I'm fairly certain it was because of deep packet inspection.

这篇关于文档中的 Python SSL 示例给出了“对等方重置连接"；错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！