我有一台服务器需要来自Python 2.7.6客户端的身份验证SSL。它已经在生产中工作了几个月,也在我的本地开发环境中工作。他们都使用Nginx。我主要是在Mac上进行开发,但为了发现这个问题,我已经用完了Ubuntu 14.04 VM。
从星期五开始,客户端收到400("错误请求")。我没有明确升级或改变任何东西。版本控制同意没有任何改变。它只在与本地(非生产)交谈时中断,因此我认为它是一个Nginx问题。但是,它仍然适用于本地的cURL。
这是返回的400个内容:
vagrant@deploy:/deployment/deploy_scripts/dev$ ./curl_ds_host_shell.py
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.4.6 (Ubuntu)</center>
</body>
</html>
它比cURL更好:
curl -s -v -X GET -k --cert /var/lib/rt_data/ssl/rt.crt.pem --key /var/lib/rt_data/ssl/rt.private_key.pem https://deploy_api.local:8443/auth/admin/1/hosts
它也适用于Python 3.4。这似乎只是urllib2 / httplib的一个问题(我使用请求,它调用urllib2 / httplib)。这个直接的例子失败了:
import urllib2
import httplib
cert_filepath = '/var/lib/rt_data/ssl/rt.crt.pem'
key_filepath = '/var/lib/rt_data/ssl/rt.private_key.pem'
url = 'https://deploy_api.local:8443/auth/admin/1/hosts'
class HTTPSClientAuthHandler(urllib2.HTTPSHandler):
"""Wrapper to allow for authenticated SSL connections."""
def __init__(self, key, cert):
urllib2.HTTPSHandler.__init__(self)
self.key = key
self.cert = cert
def https_open(self, req):
# Rather than pass in a reference to a connection class, we pass in
# a reference to a function which, for all intents and purposes,
# will behave as a constructor
return self.do_open(self.getConnection, req)
def getConnection(self, host, timeout=300):
return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert)
opener = urllib2.build_opener(HTTPSClientAuthHandler(key_filepath, cert_filepath))
response = opener.open(url)
response_data = response.read()
print(response_data)
有没有人知道为什么会这样?