我试图了解Thrift中SSL套接字的语义。特别是字段:ca_certs,keyfile和certfile完成。
客户端keyfile
上的用法是私钥的路径,然后使用certfile
这些字段似乎对我不利,因为我希望在服务器端而不是客户端看到密钥文件字段。
服务器端的certfile是真正的pem(意味着公共证书和私钥的组合)还是只是一个证书?
验证客户端到服务器的正确用法是什么,反之亦然?
TSSLSocket Initializer
def __init__(self,
host='localhost',
port=9090,
validate=True,
ca_certs=None,
keyfile=None,
certfile=None,
unix_socket=None,
ciphers=None):
"""Create SSL TSocket
@param validate: Set to False to disable SSL certificate validation
@type validate: bool
@param ca_certs: Filename to the Certificate Authority pem file, possibly a
file downloaded from: http://curl.haxx.se/ca/cacert.pem This is passed to
the ssl_wrap function as the 'ca_certs' parameter.
@type ca_certs: str
@param keyfile: The private key
@type keyfile: str
@param certfile: The cert file
@type certfile: str
@param ciphers: The cipher suites to allow. This is passed to
the ssl_wrap function as the 'ciphers' parameter.
@type ciphers: str
Raises an IOError exception if validate is True and the ca_certs file is
None, not present or unreadable.
"""
服务器端:
class TSSLServerSocket(TSocket.TServerSocket):
SSL_VERSION = ssl.PROTOCOL_TLSv1
def __init__(self,
host=None,
port=9090,
certfile='cert.pem',
unix_socket=None,
ciphers=None):