错误使用httlib的HTTPSConnection与PKCS#12证书 [英] Error using httlib's HTTPSConnection with PKCS#12 certificate
问题描述
我试图使用httplib的的HTTPSConnection客户端验证,使用PKCS#12证书。我知道证书是好的,因为我可以在MSIE和Firefox使用它连接到服务器。
I'm trying to use httplib's HTTPSConnection for client validation, using a PKCS #12 certificate. I know the certificate is good, as I can connect to the server using it in MSIE and Firefox.
下面是我的连接功能(证书包括私钥)。我已经缩减下来,只是最基础的:
Here's my connect function (the certificate includes the private key). I've pared it down to just the basics:
def connect(self, cert_file, host, usrname, passwd):
self.cert_file = cert_file
self.host = host
self.conn = httplib.HTTPSConnection(host=self.host, port=self.port, key_file=cert_file, cert_file=cert_file)
self.conn.putrequest('GET', 'pathnet/,DanaInfo=200.222.1.1+')
self.conn.endheaders()
retCreateCon = self.conn.getresponse()
if is_verbose:
print "Create HTTPS connection, " + retCreateCon.read()
(注:硬codeD路径上没有意见,请 - 我试图得到这个工作第一,我会让它事后pretty的硬件codeD路径。是正确的,因为我连接到该MSIE和Firefox。我改变了IP地址后)。
(Note: No comments on the hard-coded path, please - I'm trying to get this to work first; I'll make it pretty afterwards. The hard-coded path is correct, as I connect to it in MSIE and Firefox. I changed the IP address for the post.)
当我尝试这种使用PKCS#12证书(一个.pfx文件)来运行,我回来这似乎是一个错误OpenSSL的。这里是整个错误追踪:
When I try to run this using a PKCS#12 certificate (a .pfx file), I get back what appears to be an openSSL error. Here is the entire error traceback:
File "Usinghttplib_Test.py", line 175, in
t.connect(cert_file=opts["-keys"], host=host_name, usrname=opts["-username"], passwd=opts["-password"])
File "Usinghttplib_Test.py", line 40, in connect
self.conn.endheaders()
File "c:\python26\lib\httplib.py", line 904, in endheaders
self._send_output()
File "c:\python26\lib\httplib.py", line 776, in _send_output
self.send(msg)
File "c:\python26\lib\httplib.py", line 735, in send
self.connect()
File "c:\python26\lib\httplib.py", line 1112, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
File "c:\python26\lib\ssl.py", line 350, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "c:\python26\lib\ssl.py", line 113, in __init__
cert_reqs, ssl_version, ca_certs) ssl.SSLError: [Errno 336265225] _ssl.c:337: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
通知,OpenSSL的错误(在列表中的最后一项)指出PEM LIB,我发现奇怪,因为我并不想使用PEM证书。
Notice, the openSSL error (the last entry in the list) notes "PEM lib", which I found odd, since I'm not trying to use a PEM certificate.
有关几脚,我转换的PKCS#12证书到PEM证书,并且使用的是的运行同样的code。在这种情况下,我没有收到任何错误,我被提示输入PEM密码短语,和code并试图访问该服务器。 (我收到响应服务是不可
可用。请稍后再试。,但我相信这将是因为服务器不接受PEM证书,我无法在Firefox连接到使用PEM证书或者服务器。)
For kicks, I converted the PKCS#12 cert to a PEM cert, and ran the same code using that. In that case, I received no error, I was prompted to enter the PEM pass phrase, and the code did attempt to reach the server. (I received the response "The service is not available. Please try again later.", but I believe that would be because the server does not accept the PEM cert. I can't connect in Firefox to the server using the PEM cert either.)
时httplib的的HTTPSConnection应该支持PCKS#12证书吗? (也就是说,PFX文件。)如果是这样,为什么它看起来像OpenSSL是试图加载它PEM的lib里面呢?我这样做都是错的?
Is httplib's HTTPSConnection supposed to support PCKS#12 certificates? (That is, pfx files.) If so, why does it look like openSSL is trying to load it inside the PEM lib? Am I doing this all wrong?
任何意见是值得欢迎的。
Any advice is welcome.
编辑:证书文件包含证书和私钥,这就是为什么我同时为HTTPSConnection的KEY_FILE和cert_file中的参数提供相同的文件名
The certificate file contains both the certificate and the private key, which is why I'm providing the same file name for both the HTTPSConnection's key_file and cert_file parameters.
推荐答案
在OpenSSL的邮件列表,我聊穆尼尔Idrassi。他指出,OpenSSL的确实支持PKCS#12文件, - 基于我收到错误信息 - 它看起来httplib的是调用了错误的函数加载键
On the openSSL mailing list, I chatted with Mounir Idrassi. He noted that openSSL does support PKCS#12 files, and - based on the error message I'm receiving - it appears that httplib is calling the wrong function to load the key.
在他的话说:
。至于你所得到的错误,看来你正在使用的phython模块通过给它的PKCS#12文件对骂SSL_CTX_use_PrivateKey_file这是不因为SSL_CTX_use_PrivateKey_file只接受两种格式:SSL_FILETYPE_PEM和SSL_FILETYPE_ASN1
"Concerning the error you are getting, it appears that the phython module you are using is calling SSL_CTX_use_PrivateKey_file by giving it the PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1."
(我给httplib的所述PKCS#12文件名作为密钥文件,因为该文件格式包括该证书,并在同一文件中的私钥。)
(I'm giving httplib the PKCS#12 file name as key file, because this file format includes both the cert and the private key in the same file.)
为了解决这个问题,有两种解决方法:
- 无论是喂蟒蛇模块在PEM文件中的私钥。
- 或者修改这条巨蟒模块的源$ C $ C,以使用PKCS#12我上面提到的提取专用密钥作为EVP_PKEY功能,然后调用SSL_use_PrivateKey代替SSL_CTX_use_PrivateKey_file,与SSL_use_certificate沿设置相关的证书。
"In order to correct this, you have two solutions : - Either feed the python module with the private key in a PEM file. - Or modify the source code of this python module in order to use the PKCS#12 functions I mentioned above to extract the private key as an EVP_PKEY and then call SSL_use_PrivateKey instead of SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting the associated certificate."
(我尝试了前者,无法得到它的工作并不一定意味着它不会工作;只是我没能)
(I tried the former and wasn't able to get it to work. Doesn't necessarily mean it won't work; only that I wasn't able to.)
这篇关于错误使用httlib的HTTPSConnection与PKCS#12证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
