使用pyopenssl加密模块创建的证书包装套接字时出现SSL错误

时间:2016-04-11 17:49:52

标签: sockets ssl pyopenssl

我正在使用加密模块创建证书并使用中间证书(本地生成的CA和中间件)对其进行签名。我正在使用该证书包装ssl套接字以构建SSL通道。但它引发了一个错误:

Traceback (most recent call last):
  File "spoofTrial.py", line 72, in <module>
    ssl_conn = ssl.wrap_socket(newsocket, server_side=True, certfile=certPATH, keyfile=keyPATH, ssl_version=ssl.PROTOCOL_TLSv1)
  File "/usr/local/lib/python3.5/ssl.py", line 1064, in wrap_socket
    ciphers=ciphers)
  File "/usr/local/lib/python3.5/ssl.py", line 686, in __init__
    self._context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:2803)

在下面找到我正在尝试的客户端和服务器代码:

这是客户端脚本。

from OpenSSL import SSL, crypto
from socket import socket
from pprint import pprint
import random

ca_file='/home/osboxes/certProject/ca-chaincert.pem'
cacert='/root/ca/intermediate/certs/intermediatecert.pem'
cakey='/root/ca/intermediate/private/intermediatekey.pem'
ca_path= None;
def callback(conn, cert, errno, depth, result):
    #*******
    return True

context = SSL.Context(SSL.TLSv1_METHOD) # Use TLS Method
context.set_options(SSL.OP_NO_SSLv2) # Don't accept SSLv2
context.set_verify(SSL.VERIFY_PEER, callback)
context.load_verify_locations(ca_file, ca_path)

sock = socket()
ssl_sock = SSL.Connection(context, sock)
ssl_sock.connect(('#ServerIpAddress', 5000))
ssl_sock.do_handshake()
ssl_sock.send("Hello Server")
print(ssl_sock.recv(10))
cert = ssl_sock.get_peer_certificate()

服务器端脚本如下:

import ssl
from OpenSSL import crypto
from socket import socket, gethostname
import random

# To Sign a certificate, I have created my own Root CA and Intermediate certificate using Openssl commands.
cacert='/root/ca/intermediate/certs/intermediatecert.pem'
cakey='/root/ca/intermediate/private/intermediatekey.pem'

def newcert(CN,CountryName,State,Locality,Org,Unit):
    global keyPATH
    keyPATH="/root/ca/intermediate/private/"+gethostname()+"_onflykey.PEM"
    global certPATH
    certPATH="/root/ca/intermediate/certs/"+gethostname()+"_onflycert.PEM"
    serial = random.randrange(1, 65545);
    ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(cacert).read())
    ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(cakey).read())
    key = crypto.PKey()
    key.generate_key( crypto.TYPE_RSA, 2048)
    cert=crypto.X509()
    cert.get_subject().CN=gethostname()
    cert.get_subject().C=CountryName
    cert.get_subject().ST=State
    cert.get_subject().L=Locality
    cert.get_subject().O=Org
    cert.get_subject().OU=Unit
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(365*24*60*60)
    cert.set_serial_number(serial)
    cert.set_pubkey(key)
    cert.set_issuer(ca_cert.get_subject())
    cert.add_extensions([crypto.X509Extension(b"basicConstraints", True,b"CA:FALSE"), crypto.X509Extension(b"nsCertType", True,b"server")])
    cert.sign(ca_key, "sha256")
    new_key=open(keyPATH,"wb")
    new_key.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
    new_cert=open(certPATH,"wb")
    new_cert.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))


serverPort = 5000
if __name__ == '__main__':
 server_socket = socket()
 server_socket.bind(('', serverPort))
 server_socket.listen(5)
 newsocket, fromaddr = server_socket.accept()
 newcert("serverxyz.project.com","VA","Fairfax","XYZ","ABZ Ltd","ABZ Ltd Server")

 ssl_conn = ssl.wrap_socket(newsocket, server_side=True, certfile=certPATH, keyfile=keyPATH, ssl_version=ssl.PROTOCOL_TLSv1)

 print(ssl_conn.read())
 ssl_conn.write('200 OK \r\n\r\n'.encode())
 ssl_conn.close()
 server_socket.close()

请帮我一样......

0 个答案:

没有答案