如何设置aiohttp https服务器和客户端？

Question

我正在尝试学习如何在服务器和工作人员之间通过开放式网络传输数据后防止数据被更改

在我的脑海中，我想它应该遵循以下内容：

|server|---send_job----->|worker|
|      |<--send_results--|      |
|      |                 |      |
|      |-send_kill_req-->|      |

很明显，我不希望有人改变我的send_job来做邪恶的事情，也不希望有人偷看我的结果。

所以我有一个非常简单的aiohttp客户/服务器设置，我试图将ssl实现到其中，但我完全迷失了。

以下是我尝试过的最基本的内容，但是我也尝试过通过以下方式实现自己的ssl证书：

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout domain_srv.key -out domain_srv.crt

跟随documentation，但我仍然无法get做出任何回应。

我该如何正确实施ssl_context才能使其正常工作？！

server.py

from aiohttp import web
import msgpack
import ssl

async def handle(request):
    name = request.match_info.get('name', "Anonymous")
    text = "Hello, " + name
    return web.Response(text=text)

app = web.Application()
app.add_routes([web.get('/', handle),
                web.get('/{name}', handle)])

ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
web.run_app(app, ssl_context=ssl_context)

client.py     导入aiohttp     导入异步     导入ssl

async def main():
    sslcontext = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
    async with aiohttp.ClientSession() as session:
        async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
            html = await response.read()
            print(html)

loop = asyncio.get_event_loop()
loop.run_until_complete(main())

1. 在一个窗口中运行python3 server.py
2. 在另一个窗口中运行python3 client.py

然后我通常会遇到类似这样的情况：

Traceback (most recent call last):
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 822, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 804, in create_connection
    sock, protocol_factory, ssl, server_hostname)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 830, in _create_connection_transport
    yield from waiter
ConnectionResetError

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "client.py", line 14, in <module>
    loop.run_until_complete(main())
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 468, in run_until_complete
    return future.result()
  File "client.py", line 9, in main
    async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 843, in __aenter__
    self._resp = await self._coro
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 366, in _request
    timeout=timeout
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 445, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 757, in _create_connection
    req, traces, timeout)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 879, in _create_direct_connection
    raise last_exc
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 862, in _create_direct_connection
    req=req, client_error=client_error)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 829, in _wrap_create_connection
    raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 0.0.0.0:8443 ssl:<ssl.SSLContext object at 0x7fe4800d2278> [None]

---

解决方案：

这是一个两部分的问题，

1. 我不知道我在用openssl做些什么，请求库帮助我弄清楚了！

   import requests
   requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
   
   SSLError: HTTPSConnectionPool(host='0.0.0.0', port=8443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '0.0.0.0' doesn't match None",),))
   

   事实证明，当我制作openssl证书时，我刚刚将这些行设置为默认行实际上很重要。类似于

   的更正确（但可能仍然错误）的配置

   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:.
   Locality Name (eg, city) []:.
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
   Organizational Unit Name (eg, section) []:.
   Common Name (e.g. server FQDN or YOUR name) []:0.0.0.0
   Email Address []:.
   

   将我引向结果：

   import requests
   requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
   
   SubjectAltNameWarning: Certificate for 0.0.0.0 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
   

   看起来'subjectAltName'很难添加，比简单的命令需要更多的工作，您需要遵循this这样的指南，我将尝试一下，看看如果该错误消失了。

2. 我认为我错误地使用了ssl.Purpose.CLIENT/SERVER_AUTH，就像@Andrej提到的那样，我改变了这一点（如下文所示），并做了一些其他更改，现在我得到了正确的答案。我只是说，我绝对仍然不了解ssl.Purpose，但至少我现在有可以使用的功能，希望我能及时弄清楚。
   client.py

   import aiohttp
   import asyncio
   import ssl
   
   
   async def main():
       sslcontext = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile='domain_srv.crt')
       async with aiohttp.ClientSession() as session:
           async with session.get("https://0.0.0.0:8443/JOHNYY", ssl=sslcontext) as response:
               html = await response.read()
               print(html)
   
   loop = asyncio.get_event_loop()
   loop.run_until_complete(main())
   

   server.py

   from aiohttp import web
   import ssl
   
   async def handle(request):
       name = request.match_info.get('name', "Anonymous")
       text = "Hello, " + name
       return web.Response(text=text)
   
   app = web.Application()
   app.add_routes([web.get('/', handle),
                   web.get('/{name}', handle)])
   
   ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
   ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')
   web.run_app(app, ssl_context=ssl_context)
   

   commandline

   >python3 server.py
   # Switch to a new window/pane
   >python3 client.py
   b'Hello, JOHNYY'
   

Answer 1

您正在创建证书，但未将其加载到SSL链中。并将ssl_context创建从ssl.Purpose.SERVER_AUTH更改为ssl.Purpose.CLIENT_AUTH：

from aiohttp import web
import ssl

async def handle(request):
    name = request.match_info.get('name', "Anonymous")
    text = "Hello, " + name
    return web.Response(text=text)

app = web.Application()
app.add_routes([web.get('/', handle),
                web.get('/{name}', handle)])


ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')

web.run_app(app, ssl_context=ssl_context)

运行服务器时，客户端将在连接时打印：

b'Hello, Anonymous'