2 扭曲的 SSL 证书 [英] 2 SSL certificates in twisted

问题描述

我有这个代码:

from twisted.web.server import Site
from twisted.web.static import Data
from twisted.internet import reactor, ssl

root = Data("", "text/plain")
site = Site(root)
reactor.listenSSL(config.ws_port, site,
                      ssl.DefaultOpenSSLContextFactory(
                        '/etc/apache2/ssl/wc.key',
                        '/etc/apache2/ssl/wc.crt')
                      )

但我有额外的域和另一个证书.我需要为每个域处理 2 个证书.我如何为扭曲添加第二个证书?

But i have got additional domain and another certificate for it. I need working twisted with 2 certificates for each domain. How i can add second certificate for twisted?

推荐答案

TLS 与 HTTP 一起支持多个主机名的方式是使用包含所有这些主机名的单个证书(例如，作为 subjectAltName 扩展)或使用多个证书(每个证书都少于完整的主机名集)和 SNI TLS 扩展.

The ways TLS works with HTTP to support multiple hostnames is either by using a single certificate that contains all of those hostnames (for example, as subjectAltName extensions) or by using multiple certificates (each with fewer than the complete set of hostnames) and the SNI TLS extension.

如果您想使用前一种解决方案，您需要做的就是获取正确构造的证书.您如何执行此操作可能取决于您从何处获取证书.也许证书供应商有一个特殊的用户界面，或者您使用的证书请求生成器可能有控制它的选项.

If you want to use the former solution, all you need to do is acquire correctly constructed certificates. How you do this probably depends on where you're getting your certificates from. Perhaps the certificate vendor has a special user interface for this or perhaps the certificate request generator you're using has options that control it.

如果您想使用后一种解决方案，请调查txSNI:

If you want to use the latter solution, investigate txSNI:

from txsni.snimap import SNIMap
from txsni.tlsendpoint import TLSEndpoint

from twisted.web.server import Site
from twisted.web.static import Data
from twisted.internet import reactor
from twisted.internet.ssl import Certificate, KeyPair, PrivateCertificate
from twisted.internet.endpoints import serverFromString

def main(reactor):
    root = Data("", "text/plain")
    site = Site(root)

    def load(key_path, cert_path):
        with open(key_path) as key_file:
            key = KeyPair.loadPEM(key_file.read())

        with open(cert_path) as cert_file:
             cert = cert.read()

        return PrivateCertificate.fromCertificateAndKeyPair(cert, key)

    snimap = SNIMap({
        "DEFAULT": load('/etc/apache2/ssl/wc.key', '/etc/apache2/ssl/wc.crt').options(),
        "another.host.name": load(another_key, another_cert).options(),
        ...
    })

    endpoint = TLSEndpoint(serverFromString(reactor, "tcp:80"))
    endpoint.listen(site)

    reactor.run()

这篇关于2 扭曲的 SSL 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！