gpt4 book ai didi

python - OpenSSL s_client 和 Python SSL 模块在主机名证书上存在分歧

转载 作者:太空宇宙 更新时间:2023-11-03 13:28:00 28 4
gpt4 key购买 nike

我遇到了一个奇怪的问题。看起来 OpenSSL 的“s_client”工具不喜欢我的 AppEngine 应用程序的 SSL 证书,甚至不承认它(“没有对等证书可用”),但是 Python 的 SSL 模块报告了颁发者、日期范围、序列号、主题等等,好像一点问题都没有。

我假设我的 SSL 证书存在一些细微的错误配置,但是,由于 AppEngine 提供了一个非常简单的证书上传向导,所以说存在错误配置就是说 Google 的功能被破坏了......我怀疑是这样的。

如果其他人经历过,我希望对此有所了解。

s_client:

openssl s_client -connect www.abc.com:443

s_client 输出:

CONNECTED(00000003)
3073997000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Python 3.3 测试脚本:

import socket

from ssl import wrap_socket, CERT_NONE, PROTOCOL_SSLv23
from ssl import SSLContext # Modern SSL?
from ssl import HAS_SNI # Has SNI?

from pprint import pprint

# Stole this from "requests" package.
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
ca_certs=None, server_hostname=None,
ssl_version=None):

context = SSLContext(ssl_version)
context.verify_mode = cert_reqs

if ca_certs:
try:
context.load_verify_locations(ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Reraise as SSLError
raise SSLError(e)

if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)

if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)

return context.wrap_socket(sock)

hostname = 'www.abc.com'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, 443))

sslSocket = ssl_wrap_socket(s,
ssl_version=2,
cert_reqs=2,
ca_certs='/usr/local/lib/python3.3/dist-packages/requests/cacert.pem',
server_hostname=hostname)

pprint(sslSocket.getpeercert())
s.close()

测试脚本输出:

{'issuer': ((('countryName', 'US'),),
(('organizationName', 'GeoTrust, Inc.'),),
(('commonName', 'RapidSSL CA'),)),
'notAfter': 'Oct 2 20:01:20 2014 GMT',
'notBefore': 'Sep 29 02:17:38 2013 GMT',
'serialNumber': '0E45AF',
'subject': ((('serialNumber', 'd3tVuFeMunyn/gFFucMFHgZ2iBihdthR'),),
(('organizationalUnitName', 'GT22884059'),),
(('organizationalUnitName',
'See www.rapidssl.com/resources/cps (c)13'),),
(('organizationalUnitName',
'Domain Control Validated - RapidSSL(R)'),),
(('commonName', 'www.abc.com'),)),
'subjectAltName': (('DNS', 'www.abc.com'),
('DNS', 'abc.com')),
'version': 3}

最佳答案

问题是我没有在“s_client”调用中包含“servername”参数。

关于python - OpenSSL s_client 和 Python SSL 模块在主机名证书上存在分歧,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/19144949/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com