Python客户端 - SSL lib - 证书验证失败 [英] Python client - SSL lib - certificate verify failed

问题描述

我正在尝试为学习目的做一个小型安全HTTPS客户端，看看SSL的所有机制现在如何在更高层次上工作，所以我试图通过ssl.wrap_socket将一个简单的套接字转换为ssl 。

I'm trying to do a small secure HTTPS client for learning purposes and see how all the mechanics of SSL works on a higher level for now, so i'm trying to convert a simple socket into a ssl via ssl.wrap_socket.

我可能倒退了整个概念但是，这就是我正在做的事情：

I probably got the whole concept backwards but, here's what i'm doing:

s.connect((host, port))
if port == 443:
    f = open('cacerts.txt', 'r')
    calist = f.read()
    f.close()
    ca = ssl.get_server_certificate((host, port), ssl_version=ssl.PROTOCOL_SSLv3|ssl.PROTOCOL_TLSv1)
    if not ca in calist:
        f = open('cacerts.txt', 'a')
        f.write(ca)
        f.close()
    s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv3|ssl.PROTOCOL_TLSv1, cert_reqs=ssl.CERT_REQUIRED, ca_certs="cacerts.txt")
    s.do_handshake()

当我打电话给do_handshake（）时，我得到这个：

And when i call do_handshake() i get this:

Traceback (most recent call last):
  File "SSL_test.py", line 84, in Requester
    s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv3|ssl.PROTOCOL_TLSv1, cert_reqs=ssl.CERT_REQUIRED, ca_certs="cacerts.txt")
  File "C:\Python26\lib\ssl.py", line 338, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "C:\Python26\lib\ssl.py", line 120, in __init__
    self.do_handshake()
  File "C:\Python26\lib\ssl.py", line 279, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

我已经搜索了一段时间并试图找到一些与我所做的相近的东西，但每个人都指向PyOpenSSL或Twisted而且我更愿意，如果我可以远离这些图书馆，主要是因为后来我计划将其带入一个敏锐的生产环境我只允许使用Python2.6的内置库。

I've searched around for a while and tried for find something that would be close to what i do, but everyone points to either PyOpenSSL or Twisted and i'd prefer if i could stay out of those libraries, mainly because later on i'm planing on bringing this into a sharp production environment where i'm only allowed to use the built in libraries of Python2.6.

任何帮助都会很棒！

推荐答案

这里的问题是你不能用自己验证证书（这是你想要做的），除非它是自签名的，并且有CA位设置。您应该将该网站的真实CA证书添加到 cacerts.txt 文件中。另一种选择（类似于在Web浏览器中无论如何连接）是将 cert_reqs 放到 ssl.CERT_NONE 之后你得到这样的例外，并且明白中间可能有一个人。这不是 ssl 模块问题，这就是SSL / X.509的工作方式。

The problem here is that you can't validate a certificate with itself (that is what you are trying to do) unless it is self-signed, and has a CA bit set. You should add a real CA certificate of the web site to the cacerts.txt file. Another alternative (something like "connect anyway" in a web browser) is to drop the cert_reqs to ssl.CERT_NONE after you get such exception, and understand that there could possibly be a man in the middle. This is not the ssl module issue, this is how SSL/X.509 work.

这篇关于Python客户端 - SSL lib - 证书验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！