python-3.x - 有人可以解释一下 SSL 证书的回调函数吗？

Question

如果这不是正确的 SO(信息安全或加密)，我马上道歉。无论如何，我正在尝试弄清楚如何在 Python 中验证客户端的 SSL 证书。我找到了一个回调函数 here看起来类似于我在网上看到的其他功能。但是，在我的代码中，我不确定它是如何(或为什么)工作的。当我运行我的代码时它似乎工作，但为什么(在 PyCharm 中)前四个参数是灰色的，只有第五个是白色的？有没有一种方法可以使用此回调函数来检查特定的证书错误？

这是我运行时的输出

Certs are fine
Certs are fine
Certs are fine
b'HTTP/1.1 200 OK\r\nDate: Tue, 12 Apr 2016...etc

我假设“Certs are fine”的每一行都在验证链中的每个证书？

import socket
from OpenSSL import SSL

HOST = "www.google.com"
PORT = 443

def verify_callback(connection, x509, errnum, errdepth, ok):
        if not ok:
            print("Bad Certs")
        else:
            print("Certs are fine")
        return ok


context = SSL.Context(SSL.TLSv1_2_METHOD)
context.load_verify_locations("cacerts.pem")
context.set_options(SSL.OP_NO_SSLv2)
context.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)


# create socket and connect to server
sock = socket.socket()
sock = SSL.Connection(context, sock)
sock.connect((HOST, PORT))
sock.do_handshake()
sock.sendall("GET / HTTP/1.1\r\n\r\n")

Answer 1

pyOpenSSL docs关于这个的内容很少，但是这个函数是相应 OpenSSL 函数的包装器，其文档是 much better .

The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set. It must be supplied by the application and receives two arguments: preverify_ok indicates, whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0). x509_ctx is a pointer to the complete context used for the certificate chain verification.

The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. Whenever a verification error is found, the error number is stored in x509_ctx and verify_callback is called with preverify_ok=0. By applying X509_CTX_store_* functions verify_callback can locate the certificate in question and perform additional steps (see EXAMPLES). If no error is found for a certificate, verify_callback is called with preverify_ok=1 before advancing to the next level.

The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with "verification failed" state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If verify_callback returns 1, the verification process is continued. If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. The calling process can however retrieve the error code of the last verification error using SSL_get_verify_result(3) or by maintaining its own error storage managed by verify_callback.

If no verify_callback is specified, the default callback will be used. Its return value is identical to preverify_ok, so that any verification failure will lead to a termination of the TLS/SSL handshake with an alert message, if SSL_VERIFY_PEER is set.

该文档还有一个很好解释的示例验证功能，用于检查被验证的链是否太长。如果链太长，则会记录错误，然后根据用户设置的值，回调要么返回 0 以导致验证失败，要么返回 1(即忽略错误并进行验证)。

此外，this blog post有一个 pyOpenSSL 示例，它只检查几个特定错误并在它们发生时验证失败。