Question

我尝试使用如下的PEM证书发布HTTPS请求：

import httplib  
CERT_FILE = '/path/certif.pem'
conn = httplib.HTTPSConnection('10.10.10.10','443', cert_file =CERT_FILE)   
conn.request("POST", "/") 
response = conn.getresponse()       
print response.status, response.reason
conn.close()

我有以下错误：

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.6/httplib.py", line 914, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.6/httplib.py", line 951, in _send_request
self.endheaders()
File "/usr/lib/python2.6/httplib.py", line 908, in endheaders
self._send_output()
File "/usr/lib/python2.6/httplib.py", line 780, in _send_output
self.send(msg)
File "/usr/lib/python2.6/httplib.py", line 739, in send
self.connect()
File "/usr/lib/python2.6/httplib.py", line 1116, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
File "/usr/lib/python2.6/ssl.py", line 338, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "/usr/lib/python2.6/ssl.py", line 118, in __init__
cert_reqs, ssl_version, ca_certs)
ssl.SSLError: [Errno 336265225] _ssl.c:339: error:140B0009:SSL       
routines:**SSL_CTX_use_PrivateKey_file**:PEM lib

当我从httplib中删除cert_file时，我得到以下响应：

200 ok

当我添加身份验证标头（如MattH建议）和空邮件有效负载时，它也有效。

然而，当我把好的请求与Path，Body和Header放在一起时，就像下面一样（我简化了它们......）

body = '<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">blablabla</S:Envelope>'
URLprov = "/syncaxis2/services/XXXsyncService"
auth_header = 'Basic %s' %  (":".join(["xxx","xxxxx"]).encode('Base64').strip('\r\n'))
conn.request("POST",URLprov,body,{'Authenticate':auth_header})

我有401个未经授权的回复！

如您所见，首先，我要求提供PrivateKey！如果我是客户，为什么我需要PrivateKey？然后，当我删除PrivateKey和证书，并把路径/正文/标题放入401 Unauthorized错误消息WWW-Authenticate：Basic realm =＆＃34; SYNCNB Server Realm＆＃34;。

有人可以解释这个问题吗？是否有其他方法可以使用Python中的证书发送HTTPS请求？

Answer 1

听起来你需要类似于我之前提供的答案simple client certificate authentication。以下是为您的问题略微修改的代码：

import httplib
import urllib2

PEM_FILE = '/path/certif.pem' # Renamed from PEM_FILE to avoid confusion
CLIENT_CERT_FILE = '/path/clientcert.p12' # This is your client cert!

# HTTPS Client Auth solution for urllib2, inspired by
# http://bugs.python.org/issue3466
# and improved by David Norton of Three Pillar Software. In this
# implementation, we use properties passed in rather than static module
# fields.
class HTTPSClientAuthHandler(urllib2.HTTPSHandler):
    def __init__(self, key, cert):
        urllib2.HTTPSHandler.__init__(self)
        self.key = key
        self.cert = cert
    def https_open(self, req):
        #Rather than pass in a reference to a connection class, we pass in
        # a reference to a function which, for all intents and purposes,
        # will behave as a constructor
        return self.do_open(self.getConnection, req)
    def getConnection(self, host):
        return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert)


cert_handler = HTTPSClientAuthHandler(PEM_FILE, CLIENT_CERT_FILE)
opener = urllib2.build_opener(cert_handler)
urllib2.install_opener(opener)

f = urllib2.urlopen("https://10.10.10.10")
print f.code

Answer 2

请参阅http://docs.python.org/library/httplib.html

httplib.HTTPSConnection不会对服务器的证书进行任何验证。

包含私有证书的选项是服务器对客户端进行基于证书的身份验证。即服务器正在检查客户端是否有由其信任的CA签名的证书，并且允许其访问它的资源。

如果未指定cert optional参数，则应该能够连接到HTTPS服务器，但不能验证服务器证书。

<强>更新

根据您的评论，您已经尝试过基本身份验证，看起来服务器仍然希望您使用基本身份验证进行身份验证。您的凭据是无效的（您是否已独立验证它们？）或您的Authenticate标头格式不正确。修改示例代码以包含基本身份验证标头和空邮件有效负载：

import httplib  
conn = httplib.HTTPSConnection('10.10.10.10','443')   
auth_header = 'Basic %s' % (":".join(["myusername","mypassword"]).encode('Base64').strip('\r\n'))
conn.request("POST", "/","",{'Authorization':auth_header}) 
response = conn.getresponse()       
print response.status, response.reason
conn.close()

Answer 3

您正在尝试连接到需要基于客户端证书进行身份验证的Web服务。

你确定你有PEM文件而不是PKCS＃12文件吗？ PEM文件看起来像这样（是的，我知道我包含了一个私钥......这只是我为这个例子生成的一个虚拟对象）：

阅读this问题。

使用PEM证书的HTTPS连接

3 个答案: