如果在其他地方回答了这个问题,但我没有在网上广泛浏览。
当尝试在python openssl库中使用CRL时,我们收到“证书未知”错误。具体而言,当crl撤销了ssl连接的握手中未使用的证书时,仍然会出现错误。如果改为使用空的CRL,则没有错误,并且设备能够完成socket.connect()
用于说明问题的简单客户端/服务器模型:
服务器:
def createServerSideSocket(port, backlog=5):
context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile="cert.pem", keyfile="key.pem", password='tempPassword')
context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF #specifying flag to check crl
context.load_verify_locations(cafile = "crl.pem") #loading crl
sock = socket.socket()
sock.bind(('', port))
sock.listen(backlog) #listen on port 5000
return sock, context
port = 5000
sock, context = createServerSideSocket(port)
newSocket, fromAddr = sock.accept()
connStream = context.wrap_socket(newSocket, server_side=True)
print(bytes.decode(connStream.recv(1024))) #receive and print data
客户:
def createClientSideSocket(server_ip):
context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile="cacert.pem")
context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF #specifying flag to check crl
context.load_verify_locations("crl.pem") #loading crl
conn = context.wrap_socket(socket.socket(), server_hostname=server_ip)
return conn
conn = createClientSideSocket("192.168.1.7") #our IP address of the server
conn.connect(("192.168.1.7", 5000))
conn.sendall(str.encode("test data"))
当crl.pem具有0个吊销证书时,连接有效。当crl.pem进行任何吊销(即使对于握手中未使用的吊销)时,也会失败并显示以下错误:
在客户端上
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)
在服务器上:
[SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:777)