我正在使用加密模块创建证书并使用中间证书(本地生成的CA和中间件)对其进行签名。我正在使用该证书包装ssl套接字以构建SSL通道。但它引发了一个错误:
Traceback (most recent call last):
File "spoofTrial.py", line 72, in <module>
ssl_conn = ssl.wrap_socket(newsocket, server_side=True, certfile=certPATH, keyfile=keyPATH, ssl_version=ssl.PROTOCOL_TLSv1)
File "/usr/local/lib/python3.5/ssl.py", line 1064, in wrap_socket
ciphers=ciphers)
File "/usr/local/lib/python3.5/ssl.py", line 686, in __init__
self._context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:2803)
在下面找到我正在尝试的客户端和服务器代码:
这是客户端脚本。
from OpenSSL import SSL, crypto
from socket import socket
from pprint import pprint
import random
ca_file='/home/osboxes/certProject/ca-chaincert.pem'
cacert='/root/ca/intermediate/certs/intermediatecert.pem'
cakey='/root/ca/intermediate/private/intermediatekey.pem'
ca_path= None;
def callback(conn, cert, errno, depth, result):
#*******
return True
context = SSL.Context(SSL.TLSv1_METHOD) # Use TLS Method
context.set_options(SSL.OP_NO_SSLv2) # Don't accept SSLv2
context.set_verify(SSL.VERIFY_PEER, callback)
context.load_verify_locations(ca_file, ca_path)
sock = socket()
ssl_sock = SSL.Connection(context, sock)
ssl_sock.connect(('#ServerIpAddress', 5000))
ssl_sock.do_handshake()
ssl_sock.send("Hello Server")
print(ssl_sock.recv(10))
cert = ssl_sock.get_peer_certificate()
服务器端脚本如下:
import ssl
from OpenSSL import crypto
from socket import socket, gethostname
import random
# To Sign a certificate, I have created my own Root CA and Intermediate certificate using Openssl commands.
cacert='/root/ca/intermediate/certs/intermediatecert.pem'
cakey='/root/ca/intermediate/private/intermediatekey.pem'
def newcert(CN,CountryName,State,Locality,Org,Unit):
global keyPATH
keyPATH="/root/ca/intermediate/private/"+gethostname()+"_onflykey.PEM"
global certPATH
certPATH="/root/ca/intermediate/certs/"+gethostname()+"_onflycert.PEM"
serial = random.randrange(1, 65545);
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(cacert).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(cakey).read())
key = crypto.PKey()
key.generate_key( crypto.TYPE_RSA, 2048)
cert=crypto.X509()
cert.get_subject().CN=gethostname()
cert.get_subject().C=CountryName
cert.get_subject().ST=State
cert.get_subject().L=Locality
cert.get_subject().O=Org
cert.get_subject().OU=Unit
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365*24*60*60)
cert.set_serial_number(serial)
cert.set_pubkey(key)
cert.set_issuer(ca_cert.get_subject())
cert.add_extensions([crypto.X509Extension(b"basicConstraints", True,b"CA:FALSE"), crypto.X509Extension(b"nsCertType", True,b"server")])
cert.sign(ca_key, "sha256")
new_key=open(keyPATH,"wb")
new_key.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
new_cert=open(certPATH,"wb")
new_cert.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
serverPort = 5000
if __name__ == '__main__':
server_socket = socket()
server_socket.bind(('', serverPort))
server_socket.listen(5)
newsocket, fromaddr = server_socket.accept()
newcert("serverxyz.project.com","VA","Fairfax","XYZ","ABZ Ltd","ABZ Ltd Server")
ssl_conn = ssl.wrap_socket(newsocket, server_side=True, certfile=certPATH, keyfile=keyPATH, ssl_version=ssl.PROTOCOL_TLSv1)
print(ssl_conn.read())
ssl_conn.write('200 OK \r\n\r\n'.encode())
ssl_conn.close()
server_socket.close()
请帮我一样......