服务器:
#!/usr/bin/env python
import SocketServer
import json
from OpenSSL import SSL
import os
import socket
TERMINATION_STRING = "Done"
CERTIFICATE_PATH = os.getcwd() + '/CA/certs/01.pem'
KEY_PATH = os.getcwd() + '/CA/private/key.pem'
CA_PATH = os.getcwd() + '/CA/cacert.pem'
print CA_PATH
def verify_cb(conn, cert, errnum, depth, ok):
print('Got cert: %s' % cert.get_subject())
return ok
class SSLThreadingTCPServer(SocketServer.ThreadingTCPServer):
def __init__(self, address, handler):
SocketServer.ThreadingTCPServer.__init__(self, address, handler)
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
ctx.use_privatekey_file(KEY_PATH)
ctx.use_certificate_file(CERTIFICATE_PATH)
ctx.load_verify_locations(CA_PATH)
self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
self.socket.set_accept_state()
self.server_bind()
self.server_activate()
print "Serving:", address[0], "on port:", address[1]
class MemberUpdateHandler(SocketServer.StreamRequestHandler):
def setup(self):
self.connection = self.request
self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
print self.client_address, "connected"
def handle(self):
data = ""
while True:
data += self.request.recv(1024).encode('utf-8').strip
if data[-4:] == "Done":
print "Done"
break
dataStrings = data.split(' ')
for item in dataStrings:
print item
if __name__ == "__main__":
ADDRESS = 'localhost'
PORT = 42424
HOST = (ADDRESS, PORT)
s = SSLThreadingTCPServer(HOST, MemberUpdateHandler)
s.serve_forever()
客户端:
#!/usr/bin/env python
from OpenSSL import SSL
import socket
import os
HOST = 'localhost'
PORT = 42424
ADDRESS = (HOST, PORT)
CERTIFICATE_FILE = os.getcwd() + '/CA/certs/02.pem'
KEY_PATH = os.getcwd() + '/CA/clientKey.pem'
CA_PATH = os.getcwd() + '/CA/cacert.pem'
def verify_cb(conn, cert, errnum, depth, ok):
print('Got cert: %s' % cert.get_subject())
return ok
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_verify(SSL.VERIFY_PEER, verify_cb)
ctx.use_certificate_file(CERTIFICATE_FILE)
ctx.use_privatekey_file(KEY_PATH)
ctx.load_verify_locations(CA_PATH)
sslSock = SSL.Connection(ctx, sock)
sslSock.connect(ADDRESS)
items = "this is a test Done"
sslSock.sendall(items)
sslSock.close()
服务器端出错:
Error: [('SSL routines', 'SSL3_GET_CLIENT_HELLO', 'no shared cipher')]
客户端出错:
OpenSSL.SSL.Error: [('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')]
我有一种感觉,我错过了一些简单的东西,但一直无法把它钉死。我在各个地方找到了几个与我完全相同的问题,但没有人回答过。我是网络编程的新手,非常感谢任何帮助。
使用Ubuntu 10.04和python 2.6
答案 0 :(得分:2)
尝试将顺序更改为:
...
ctx.use_certificate_file(CERTIFICATE_PATH)
ctx.use_privatekey_file(KEY_PATH)
...
当我在我的代码中使用此订单时,我在服务器启动时获得了有意义的错误消息(而不是在客户端连接上):
Traceback (most recent call last):
File "src/server_main.py", line 230, in <module>
s = SSLClientsAuthServer()
File "src/server_main.py", line 134, in __init__
ctx.use_privatekey_file (self.config.value['SERVER_KEY'])
OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')]
这是因为我真的使用了不对应webserver.crt的webserver.key:
$ openssl x509 -text -in certs/webserver.crt
Certificate:
Data:
Version: 3 (0x2)
...
Modulus:
00:a1:b6:e3:ce:53:3d:c9:96:a6:06:1d:3e:ae:34:
....
$ openssl rsa -text -in keys/webserver.key
Private-Key: (2048 bit)
modulus:
00:b7:34:61:d7:c7:0d:2b:5c:57:26:d0:8d:7a:04:
....
确保您使用了相同的RSA密钥。
答案 1 :(得分:1)
一个错误是:
data += self.request.recv(1024).encode('utf-8').strip
引导我进入
TypeError: cannot concatenate 'str' and 'builtin_function_or_method' objects
应该是:
data += self.request.recv(1024).encode('utf-8').strip()
这个例子适合我。
Got cert: <X509Name object '/C=IT/ST=XXX/L=YYY/O=ZZZ/OU=NNN/CN=CA'>
Got cert: <X509Name object '/C=IT/ST=XXX/L=YYY/O=ZZZ/OU=NNN/CN=Server'>
使用Stock 10.04 Ubuntu服务器和从apt-get安装的软件包进行测试。
python-openssl 0.10-1
openssl 0.9.8k-7ubuntu8
python 2.6.5-0ubuntu1
您应该使用列出一些可用密码的简单脚本检查您的证书/ CA或测试服务器:https://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of
更新2:
为了排除某些证书问题,您可以生成一些CA和服务器/客户端证书,例如http://acs.lbl.gov/~boverhof/openssl_certs.html