python ssl客户端认证 5C

server端

 # coding:utf-8
from __future__ import absolute_import, division, print_function, with_statement
import socket, ssl
import os
import tornado.tcpserver
from tornado.ioloop import IOLoop
import tornado.gen
ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_ctx.load_cert_chain("/keys/server.crt",
                        "/keys/server.key")
ssl_ctx.load_verify_locations("keys/ca.crt")
ssl_ctx.verify_mode = ssl.CERT_REQUIRED


class A(tornado.tcpserver.TCPServer):
    def handle_stream(self, stream, address):
        self.run(stream)

    @tornado.gen.coroutine
    def run(self, stream):
        body = yield stream.read_bytes(111110, partial=True)
        print(body)

def main():
    server = A(ssl_options=ssl_ctx)
    server.listen(6030, '')


io_loop = IOLoop.current()

io_loop.add_callback(main)
io_loop.start()

client端

 # coding:utf-8

import socket, ssl, pprint
import os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_ctx.load_cert_chain("keys/server.crt","keys/server.key")
ssl_sock = ssl_ctx.wrap_socket(s)
ssl_sock.connect(('localhost', 6030))
print repr(ssl_sock.getpeername())
print ssl_sock.cipher()
print pprint.pformat(ssl_sock.getpeercert())
ssl_sock.write("boo!")

运行后

服务器端报错

[SSL: NO_CERTIFICATE_RETURNED] no certificate returned (_ssl.c:590)

客户端也报错

[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590)

我想做的是ssl双向认证

3个回答

客户端用的证书跟服务端应该不一样。只不过客户端的证书签发的CA,服务端能够认可

知道不一样,做测试的时候是一样的

服务端这个地方错了:
ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
要修改为
ssl_ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
并增加
ssl_ctx.check_hostname = False

客户端少了验证服务器的CA证书,需增加一行
ssl_ctx.load_verify_locations("keys/ca.crt")

如果你的server.crt证书中域名和主机名不匹配,客户端需要再加两个语句
ssl_ctx.check_hostname=False
ssl_ctx.verify_mode = CERT_NONE

另外,你的证书用途(X.509证书扩展中的ext_usage)必须同时具备serverAuth和clientAuth用途

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐