我在 python 3.6 中使用 ssl 库。我使用的是用 openssl 生成的自签名 ECDSA 证书。
服务器/客户端代码:
# Create a context in TLSv1.2, requiring a certificate (2-way auth)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.options |= ssl.OP_NO_TLSv1
context.options |= ssl.OP_NO_TLSv1_1
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True # This line ommited in server code
# Set the list of allowed ciphers to those with key length of at least 128
# TODO Figure out why this isn't working
context.set_ciphers('TLSv1.2+HIGH+SHA256+ECDSA')
# Print some info about the connection
for cipher in context.get_ciphers():
print(cipher)
输出:
{'id': 50380835, 'name': 'ECDHE-ECDSA-AES128-SHA256', 'protocol': 'TLSv1/SSLv3', 'description': 'ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256', 'strength_bits': 128, 'alg_bits': 128}
当前密码:
connection.cipher()
('ECDHE-ECDSA-AES128-SHA256', 'TLSv1/SSLv3', 128)
我的问题:为什么选择的密码不是 TLSv1.2?
编辑:要求截图
基于另一个线程,我尝试将我的代码更改为以下内容,但没有成功。
# Create a context in TLSv1.2, requiring a certificate (2-way auth)
self.context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
self.context.options |= ssl.OP_NO_SSLv2
self.context.options |= ssl.OP_NO_SSLv3
self.context.options |= ssl.OP_NO_TLSv1
self.context.options |= ssl.OP_NO_TLSv1_1
self.context.verify_mode = ssl.CERT_REQUIRED
# self.context.check_hostname = True
# Set the list of allowed ciphers to those with high key length
# I went with SHA384 because it seemed to have more security
self.context.set_ciphers('TLSv1.2+ECDSA+HIGH')
最佳答案
此密码与 TLS 1.2 兼容,它是 RFC 5289 中定义的普通密码.
我认为我们需要稍微解释一下 Python 的文档,以了解 get_ciphers() 返回的内容,因为它没有解释。但是 cipher() 可能给了我们答案:
SSLSocket.cipher()
Returns a three-value tuple containing the name of the cipher being used, the version of the SSL protocol that defines its use, and the number of secret bits being used. If no connection has been established, returns None.
网络捕获将确认 TLS 协议(protocol)版本。
关于Python 3.6 SSL - 使用 TLSv1.0 而不是 TLSv1.2 密码 -(2 种身份验证和自签名证书),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49036748/