Twisted Python如何使用自定义trustRoot创建twisted.web.client.BrowserLikePolicyForHTTPS? [英] Twisted Python How To Create a twisted.web.client.BrowserLikePolicyForHTTPS with a custom trustRoot?
问题描述
我正在尝试为创建一个。我正在为我希望代理与之通信的所有服务器使用内部CA,因此我希望能够告诉您加载CA证书(PEM格式)并将其用作 twcBrowserLikePolicyForHTTPS 作为 ContextFactory twcAgent
I am trying to create a t.w.c.BrowserLikePolicyForHTTPS to use as the ContextFactory for a t.w.c.Agent. I am using an internal CA for all the servers I want the Agent to communicate with, so I'd like to be able to tell to load the CA cert (PEM format) and use it as the trustRoot argument to BrowserLikePolicyForHTTPS. I have read the docs and looked at the source, but I have no idea what I am supposed to supply as arguments. I tried providing a PyOPenSSL x509 object, but I get an error:
exceptions.TypeError: ('Could not adapt', <OpenSSL.crypto.X509 object at 0x280b290>, <InterfaceClass twisted.internet._sslverify.IOpenSSLTrustRoot>)
我可以在 ti_sslverify 的代码中看到 OpenSSLCertificateAuthorities 以某种方式适应 IOpenSSLTrustRoot ,但我不清楚这是怎么发生的。
I can see in the code in t.i._sslverify that OpenSSLCertificateAuthorities somehow gets adapted to IOpenSSLTrustRoot, but it is not really clear to me how this happens.
我知道股票代理不做任何证书检查。我正在使用treq的分支,我正在尝试添加一个选项来提供自定义代理。
I know the stock agent doesn't do any cert-checking. I am working with a fork of treq and am experimenting with adding an option to provide a custom Agent.
任何有关trustRoot参数的帮助都将不胜感激。如果我正在努力解决这个问题,请让我知道。
Any help with the trustRoot argument would be appreciated. If I am going about this the hard way, please let me know that, too.
推荐答案
你的问题突显了可怕的疏忽在文件中;在API文档和叙述文档中都有。如果让 - 保罗无法弄清楚这样做的正确方法,那么普通用户显然没有希望。 我已提交错误以纠正此疏忽。
Your question here highlights a terrible oversight in the documentation; both in the API documentation, and in the narrative documentation for. If Jean-Paul can't figure out the "right way" to do this, then there is clearly no hope for a regular user. I have filed a bug to correct this oversight.
同时,请避免让 - 保罗的解决方案。虽然它是功能性的,但它涉及的技术几乎肯定会在未来的版本中不加警告地突破(正如他清楚地指出的那样)。幸运的是,有支持的方法来做到这一点。如果您有一个备用信任根,请 证书 可用作 trustRoot 参数的值。您可以像这样使用它(我已经使用Twisted 14.0.2测试了以下示例):
In the meanwhile, please avoid Jean-Paul's solution. While it is functional, it involves techniques which will almost certainly break without warning in future releases (as he clearly notes). Luckily there are supported ways to do this. If you have a single alternate trust root, Certificate is usable as a value to the trustRoot parameter. You can use it like so (I have tested the following example with Twisted 14.0.2):
from __future__ import print_function
from twisted.web.client import Agent, BrowserLikePolicyForHTTPS
from twisted.internet.task import react
from twisted.internet.ssl import Certificate
from twisted.internet.protocol import Protocol
from twisted.python.filepath import FilePath
from twisted.internet.defer import inlineCallbacks, Deferred
@inlineCallbacks
def main(reactor):
customPolicy = BrowserLikePolicyForHTTPS(
Certificate.loadPEM(FilePath("your-trust-root.pem").getContent())
)
agent = Agent(reactor, customPolicy)
response = yield agent.request(
"GET", "https://your-web-site.example.com/"
)
done = Deferred()
class CaptureString(Protocol):
def dataReceived(self, data):
print("Received:", data)
def connectionLost(self, reason):
done.callback(None)
response.deliverBody(CaptureString())
yield done
react(main)
这篇关于Twisted Python如何使用自定义trustRoot创建twisted.web.client.BrowserLikePolicyForHTTPS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
