python - 如何设置 aiohttp https 服务器和客户端？

Question

我正在尝试了解如何保护数据在通过服务器和工作人员之间的开放网络传输后不被更改

在我的脑海里，我在想它应该遵循这样的东西:

|server|---send_job----->|worker|
|      |<--send_results--|      |
|      |                 |      |
|      |-send_kill_req-->|      |

显然，我不希望有人更改我的 send_job 来做一些邪恶的事情，我也不希望有人偷看我的结果。

所以我有一个 super 简单的 aiohttp 客户端/服务器设置，我试图在其中实现 ssl 但我完全迷路了。

下面是我尝试过的最基本的东西，但我也尝试通过以下方式实现我自己的 ssl 证书:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout domain_srv.key -out domain_srv.crt

连同 documentation但我仍然无法得到任何回应。

我该如何正确实现 ssl_context 才能使其正常工作？!

server.py

from aiohttp import web
import msgpack
import ssl

async def handle(request):
    name = request.match_info.get('name', "Anonymous")
    text = "Hello, " + name
    return web.Response(text=text)

app = web.Application()
app.add_routes([web.get('/', handle),
                web.get('/{name}', handle)])

ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
web.run_app(app, ssl_context=ssl_context)

客户端.py 导入 aiohttp 导入异步 导入 ssl

async def main():
    sslcontext = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
    async with aiohttp.ClientSession() as session:
        async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
            html = await response.read()
            print(html)

loop = asyncio.get_event_loop()
loop.run_until_complete(main())

1. 在一个窗口中运行 python3 server.py
2. 在另一个窗口运行python3 client.py

然后我通常会得到类似这样的结果:

Traceback (most recent call last):
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 822, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 804, in create_connection
    sock, protocol_factory, ssl, server_hostname)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 830, in _create_connection_transport
    yield from waiter
ConnectionResetError

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "client.py", line 14, in <module>
    loop.run_until_complete(main())
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 468, in run_until_complete
    return future.result()
  File "client.py", line 9, in main
    async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 843, in __aenter__
    self._resp = await self._coro
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 366, in _request
    timeout=timeout
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 445, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 757, in _create_connection
    req, traces, timeout)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 879, in _create_direct_connection
    raise last_exc
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 862, in _create_direct_connection
    req=req, client_error=client_error)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 829, in _wrap_create_connection
    raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 0.0.0.0:8443 ssl:<ssl.SSLContext object at 0x7fe4800d2278> [None]

---

解决方案:

这是一个两部分的问题，

1. 我不知道我在用 openssl 做什么，requests 库帮助我解决了这个问题!

   import requests
   requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
   
   SSLError: HTTPSConnectionPool(host='0.0.0.0', port=8443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '0.0.0.0' doesn't match None",),))
   

   事实证明，我在制作 openssl 证书时默认设置的那些行实际上很重要。一个稍微更正确(但可能仍然错误)的配置类似于

   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:.
   Locality Name (eg, city) []:.
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
   Organizational Unit Name (eg, section) []:.
   Common Name (e.g. server FQDN or YOUR name) []:0.0.0.0
   Email Address []:.
   

   让我得到了结果:

   import requests
   requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
   
   SubjectAltNameWarning: Certificate for 0.0.0.0 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
   

   'subjectAltName' 似乎有点难以添加，需要比简单命令更多的工作，您需要遵循像 this 这样的指南。 ，我会尝试一下，看看该错误是否会消失。

2. 我想我错误地使用了 ssl.Purpose.CLIENT/SERVER_AUTH，正如@Andrej 提到的那样，我将其调换(如下所示)并进行了一些其他更改，然后现在我得到了正确的回应。我只想说，我肯定还是不明白 ssl.Purpose 但至少我现在有一些可以使用的东西，希望我能及时弄清楚剩下的。
   client.py

   import aiohttp
   import asyncio
   import ssl
   
   
   async def main():
       sslcontext = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile='domain_srv.crt')
       async with aiohttp.ClientSession() as session:
           async with session.get("https://0.0.0.0:8443/JOHNYY", ssl=sslcontext) as response:
               html = await response.read()
               print(html)
   
   loop = asyncio.get_event_loop()
   loop.run_until_complete(main())
   

   server.py

   from aiohttp import web
   import ssl
   
   async def handle(request):
       name = request.match_info.get('name', "Anonymous")
       text = "Hello, " + name
       return web.Response(text=text)
   
   app = web.Application()
   app.add_routes([web.get('/', handle),
                   web.get('/{name}', handle)])
   
   ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
   ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')
   web.run_app(app, ssl_context=ssl_context)
   

   命令行

   >python3 server.py
   # Switch to a new window/pane
   >python3 client.py
   b'Hello, JOHNYY'
   

编辑:我只想为正在处理此类问题的任何人发布更新。我认为使用 python 加密库是生成 crt/ key 文件的更好方法，因此如果您有兴趣，请随意使用/修改此模板(我不保证这些是最佳实践):

#!/usr/bin/env python
"""
stuff for network security
"""

import socket
import datetime

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes

import attr


@attr.s(auto_attribs=True)
class Netsec:
    hostname: str = attr.Factory(socket.gethostname)
    out_file_name: str = "domain_srv"

    def generate_netsec(self):
    # GENERATE KEY
        key = rsa.generate_private_key(
            public_exponent=65537,
            key_size=2048,
            backend=default_backend(),
        )

        with open(f"{self.out_file_name}.key", "wb") as f:
            f.write(key.private_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PrivateFormat.TraditionalOpenSSL,
                encryption_algorithm=serialization.NoEncryption(),
            ))

        subject = issuer = x509.Name([
            x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
            x509.NameAttribute(NameOID.LOCALITY_NAME, u"Wala Wala"),
            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"A place"),
            x509.NameAttribute(NameOID.COMMON_NAME, self.hostname),
        ])

        cert = x509.CertificateBuilder().subject_name(
            subject
        ).issuer_name(
            issuer
        ).public_key(
            key.public_key()
        ).serial_number(
            x509.random_serial_number()
        ).not_valid_before(
            datetime.datetime.utcnow()
        ).not_valid_after(
            # Our certificate will be valid for 5 years
            datetime.datetime.utcnow() + datetime.timedelta(days=365*5)
        ).add_extension(
            x509.SubjectAlternativeName([
                x509.DNSName(u"localhost"),
                x509.DNSName(self.hostname),
                x509.DNSName(u"127.0.0.1")]),
            critical=False,
        # Sign our certificate with our private key
        ).sign(key, hashes.SHA256(), default_backend())

        with open(f"{self.out_file_name}.crt", "wb") as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

Answer 1

您正在创建证书，但没有将它们加载到 SSL 链中。并将您的 ssl_context 创建从 ssl.Purpose.SERVER_AUTH 更改为 ssl.Purpose.CLIENT_AUTH:

from aiohttp import web
import ssl

async def handle(request):
    name = request.match_info.get('name', "Anonymous")
    text = "Hello, " + name
    return web.Response(text=text)

app = web.Application()
app.add_routes([web.get('/', handle),
                web.get('/{name}', handle)])


ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')

web.run_app(app, ssl_context=ssl_context)

当您运行服务器时，客户端将在连接时打印:

b'Hello, Anonymous'