Python SSL服务器 - 仅具有密码套件的客户端Hello:TLS_DH_anon_WITH_AES_256_CBC_SHA(0x003a)失败

时间:2016-01-09 20:10:23

标签: python ssl

我正在尝试让客户端与我的Python服务器脚本建立TLSv1连接。我不确定为什么它不起作用......

在Client Hello中,唯一提供的密码套件是TLS_DH_anon_WITH_AES_256_CBC_SHA(0x003a) - 正如WireShark所写。

无论我在ssl_wrapper中定义什么,我都尝试将ciphers =保留在定义之外,正如您在代码中看到的那样" ADH-AES256-SHA"," ALL&#34 ;," ALL:eNULL"," ADH"。我总是得到没有共享的回复。

我在Linux中使用Windows Python 3.5.1和Python 2.7.9都尝试了这一点。同样的问题。

如果我在Linux或cygwin中使用openssl s_server进行调试,它正在运行......

openssl s_server -accept 22939 -cert server.crt -key private_key.pem -cipher' ADH-AES256-SHA' -debug

cygwin openssl 1.0.2e

linux openssl 1.0.1k

代码:

import socket, ssl

tcpSocket = socket.socket()
tcpSocket.bind(('', 22939))
tcpSocket.listen(5)


while True:
    newsocket, fromaddr = tcpSocket.accept()
    sslSocket = ssl.wrap_socket(newsocket,
                                 server_side=True,
                                 certfile="server.crt",
                                 keyfile="private_key.pem",
                                 ciphers="ADH-AES256-SHA"
                                 )
try:
    #Later add stuff
finally:
    sslSocket.shutdown(socket.SHUT_RDWR)
    sslSocket.close()

Python错误:

   File "C:\Program Files (x86)\Python35-32\lib\ssl.py", line 1064, in wrap_socket
ciphers=ciphers)
  File "C:\Program Files (x86)\Python35-32\lib\ssl.py", line 747, in __init__
self.do_handshake()
  File "C:\Program Files (x86)\Python35-32\lib\ssl.py", line 983, in do_handshake
self._sslobj.do_handshake()
    File "C:\Program Files (x86)\Python35-32\lib\ssl.py", line 628, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:645)

Wireshark的客户问候:

TLSv1 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 45
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 41
        Version: TLS 1.0 (0x0301)
        Random
            GMT Unix Time: Jan  9, 2016 20:34:56.000000000 W. Europe Standard Time
            Random Bytes: a5e0011a6307dc4328eb9a2779a5f22a2eea8d607c8a1297...
        Session ID Length: 0
        Cipher Suites Length: 2
        Cipher Suites (1 suite)
            Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)

2 个答案:

答案 0 :(得分:2)

主要问题可能是您使用的是DH密码,但没有任何DH参数。虽然openssl s_server内置了一些默认的DH参数,但ssl.wrap_socket却没有,因此您必须明确设置它们。有关示例,请参阅http://nullege.com/codes/search/ssl.SSLContext.load_dh_params

除此之外,将证书与匿名密码一起使用是没有意义的,即明确不需要证书的密码。

答案 1 :(得分:1)

感谢Steffen,经过无数次故障排除,我能够轻松地完成这项工作。

以防其他人有这个问题,这是代码中的解决方案:

首先生成PEM dhparams文件

openssl dhparam -5 -outform PEM -out dhparam.pem

Python代码:

import socket, ssl

tcpSocket = socket.socket()
tcpSocket.bind(('', 22939))
tcpSocket.listen()

while True:
    newsocket, fromaddr = tcpSocket.accept()
    sslContext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
    sslContext.set_ciphers("ADH-AES256-SHA")
    sslContext.load_dh_params("dhparam.pem")
    sslSocket = sslContext.wrap_socket(newsocket,
                                      server_side=True,
                                      )
    try:
        #Later add stuff
    finally:
        sslSocket.shutdown(socket.SHUT_RDWR)
        sslSocket.close()
相关问题
最新问题