Question

使用DHE + AESGCM密码套件时，Python 3.7（OpenSSL 1.1.0i）客户端和服务器无法建立SSL / TLS连接。

我正在尝试使用DHE-RSA-AES128-GCM-SHA256创建SSL / TLS连接，但未建立连接，并且服务器向我显示“无共享密码”异常：

INFO:root:Listening on 127.0.0.1:8765
INFO:root:Cipher suites:
    TLSv1.2 DHE-DSS-AES256-GCM-SHA384
    TLSv1.2 DHE-RSA-AES256-GCM-SHA384
    TLSv1.2 DHE-DSS-AES128-GCM-SHA256
    TLSv1.2 DHE-RSA-AES128-GCM-SHA256
INFO:root:Connection from 127.0.0.1:20938
ERROR:root:[SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1051)

在客户端，它向我显示“ sslv3警报握手失败”：

INFO:root:Connecting to 127.0.0.1:8765
ERROR:root:[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1051)

此问题并非特定于DHE-RSA-AES128-GCM-SHA256，而是所有DHE + AESGCM密码。

服务器：

#!python
# -*- coding: utf-8 -*-
import logging
import sys
import ssl
import socket

SERVER_ADDRESS = ('127.0.0.1', 8765)

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)


def main():
    ssl_context = ssl.SSLContext()
    ssl_context.set_ciphers('DHE+AESGCM')
    ssl_context.load_cert_chain(certfile='D:/tls/server-cer.pem', keyfile='D:/tls/server-prk.pem')

    server_host, server_port = SERVER_ADDRESS
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as server_socket:
        server_socket.bind((server_host, server_port))
        server_socket.listen(1)
        logging.info(f'Listening on {server_host}:{server_port}')
        # noinspection PyUnresolvedReferences
        ciphers = "\n\t".join(f'{i["protocol"]} {i["name"]}' for i in ssl_context.get_ciphers())
        logging.info(f'Cipher suites:\n\t{ciphers}')
        while True:
            try:
                client_socket, client_address = server_socket.accept()
                client_host, client_port = client_address
                logging.info(f'Connection from {client_host}:{client_port}')
                with client_socket:
                    with ssl_context.wrap_socket(client_socket, server_side=True) as client_ssl_socket:
                        tls_cipher, tls_version, _ = client_ssl_socket.cipher()
                        logging.info(f'Cipher suite: {tls_version} {tls_cipher}')
            except ssl.SSLError as ssl_error:
                logging.error(ssl_error)


if __name__ == '__main__':
    main()

服务器证书：

服务器私钥（用于测试）：

客户端：

#!python
# -*- coding: utf-8 -*-
import logging
import sys
import ssl
import socket

SERVER_ADDRESS = ('127.0.0.1', 8765)

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)


def main():
    ssl_context = ssl.SSLContext()
    ssl_context.set_ciphers('DHE+AESGCM')
    ssl_context.load_verify_locations(cafile='D:/tls/ca-cer.pem')

    server_host, server_port = SERVER_ADDRESS
    try:
        with socket.create_connection((server_host, server_port)) as client_socket:
            logging.info(f'Connecting to {server_host}:{server_port}')
            with ssl_context.wrap_socket(client_socket, server_hostname=server_host) as client_ssl_socket:
                logging.info(f'Connection from {client_ssl_socket.version()} {client_ssl_socket.cipher()})')
    except ssl.SSLError as ssl_error:
        logging.error(ssl_error)
    except ConnectionRefusedError as connection_refused_error:
        logging.error(connection_refused_error)


if __name__ == '__main__':
    main()

CA证书：

我找不到未建立连接的原因。 OpenSSL支持DHE + AESGCM密码，并且客户端和服务器都运行相同版本的Python和OpenSSL。

为什么在Python中没有使用DHE + AESGCM密码建立TLS / SSL握手？

0 个答案: