如何简化SSL DNS验证?

时间:2018-10-23 17:57:24

标签: python python-3.x sockets security ssl

我有一个非常低的安全性环境(LAN上的传感器数据),我试图在上面增加一点点安全性。

我非常确定此错误是在请求不可用的正确DNS。证书是自签名的,基本上在FQDN中添加了垃圾。

我收到以下错误:

$ python3 twistedClientsocketSSL.001.py
Error during info_callback
Traceback (most recent call last):
  File "/home/.local/lib/python3.5/site-packages/twisted/protocols/tls.py", line 315, in dataReceived
    self._checkHandshakeStatus()
  File "/home/.local/lib/python3.5/site-packages/twisted/protocols/tls.py", line 235, in _checkHandshakeStatus
    self._tlsConnection.do_handshake()
  File "/home/.local/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1906, in do_handshake
    result = _lib.SSL_do_handshake(self._ssl)
  File "/home/.local/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1288, in wrapper
    callback(Connection._reverse_mapping[ssl], where, return_code)
--- <exception caught here> ---
  File "/home/.local/lib/python3.5/site-packages/twisted/internet/_sslverify.py", line 1103, in infoCallback
    return wrapped(connection, where, ret)
  File "/home/.local/lib/python3.5/site-packages/twisted/internet/_sslverify.py", line 1216, in _identityVerifyingInfoCallback
    verifyHostname(connection, self._hostnameASCII)
  File "/home/.local/lib/python3.5/site-packages/service_identity/pyopenssl.py", line 48, in verify_hostname
    obligatory_ids=[DNS_ID(hostname)],
  File "/home/.local/lib/python3.5/site-packages/service_identity/_common.py", line 245, in __init__
    raise ValueError("Invalid DNS-ID.")
builtins.ValueError: Invalid DNS-ID.

main function encountered error
Traceback (most recent call last):
--- <exception caught here> ---
  File "twistedClientsocketSSL.001.py", line 18, in custom_trust
    response = yield treqish.get('https://192.168.1.7:1079')
twisted.web._newclient.ResponseNeverReceived: [<twisted.python.failure.Failure builtins.ValueError: Invalid DNS-ID.>]

客户代码:

import treq
from twisted.internet import defer, ssl, task
from twisted.web import client

@task.react
@defer.inlineCallbacks
def custom_trust(_reactor):
    # get root cert from pem file
    with open('keys/server.crt') as cert_file:
        trust_root = yield ssl.Certificate.loadPEM(cert_file.read())

    # ready made browser-like policy
    policy = client.BrowserLikePolicyForHTTPS(trustRoot=trust_root)

    agent = client.Agent(_reactor, policy)
    treqish = treq.client.HTTPClient(agent)

    response = yield treqish.get('https://192.168.1.7:1079')
    content = yield response.content()
    print(content)

对应的服务器代码:

$ cat twistedServersocketSSL.002.py    
import sys

from twisted.internet import endpoints, reactor, ssl
from twisted.web import server, resource
from twisted.python import log
from twisted.python.modules import getModule

class Example(resource.Resource):
    isLeaf = True

    def render_GET(self, request):
        return u'Hello World'.encode('ascii')

# create SSL server from string
https_server = endpoints.serverFromString(
    reactor,
    'ssl:1079:interface=192.168.1.7:certKey=keys/server.crt:privateKey=keys/server_no_pass.key')

# start server
site = server.Site(Example())
https_server.listen(site)
log.startLogging(sys.stdout)
reactor.run()

我该如何简化SSL DNS验证,以便解决该错误或一个轻巧的低安全性解决方案,该解决方案重量轻,可以从网络套接字连接中获取纯文本?

0 个答案:

没有答案
相关问题
最新问题