我正在尝试连接到使用 HTTPS 客户端证书身份验证的 Web 服务器。当我使用 curl 时它工作正常:
leo@leo-VirtualBox:~/development/pki-client$ curl --key admin.privkey.pem --cert admin.crt -k --url "https://ca.cloud.leotr.org/"
<!DOCTYPE html>
<html>
<head>
<title>Welcome to CA</title>
<link href="/static/bootstrap/css/bootstrap.min.css" rel="stylesheet"/>
</head>
<body>
<div class="container">
<h1>REMS CA server</h1>
<p class="lead">Hello and welcome to REMS CA. Currently this page is
almost empty. But you can download CA root certificate and install it
into your browser ;)</p>
<a class="btn btn-large btn-primary" href="/remspki/cacert/">Download CA certificate</a>
<a class="btn btn-large" href="/admin/">Go to Admin site <i class="icon-arrow-right"></i> </a>
</div>
</body>
</html>
客户端私钥文件内容
leo@leo-VirtualBox:~/development/pki-client$ cat admin.privkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdN
ggw/D70jEfc7dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrg
EtRLyFFv3OB1sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qo
Ll7aBIpbugFew6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2
XUUMOqi+/jFmiXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi
/JR8dsm985c5KPLIxWVGK0VKC67catEY5j/70wIDAQABAoIBAAF+RwOhFmQIcBU7
kywMZ7XetGB6OTzSpBzzu5sjzLq4qqWtxfU00mL3gUzJPuQGE3Ldq986nhbR/mn3
6BkFpatsa8ypn0W9hYC8AK3KPPsmvGs+yCt/Lisxdv9PmcZc49LhWOtMBTMiYtFH
iTJdV5ToGT6kNirdLscxtCHsVe21EH2TMO4k06bK18UJFewswsyMN66FKX0wSF9w
yZ/9A9VJOaUOXo6Mos/tvyf9rjhOqb02DOqOuWVVFRWWax75+M2qKnacSuKfMPfc
21B3ulQRIcR7PjIVIMTZkLO+MjD7DBiywIcD50H1005cL05a8latjXdENY5Xeh9Z
duS4I5ECgYEA3BzbGf45gDzZWTeTjnfQ/9m3MuGmAzAG2zjStFQnquiMyH0IZzSB
/awKJxXcdO7cUXfjOWxIgA7nNj+ewOUXj5uQH9F+8cl+raxyEsixdPwfSzCyLcwD
Zp2SsoXKPRx12SrAbl5wQqePN6+pntLRmW8xfUKFZAhs5CtxQ6bymBkCgYEA1L+V
zas85TUITqZi0//lmdqWdfRhkHdIBkLsHxRE4RnEsfGqvy3XQZTQ0zLGjz4WtUSq
xjh0rK6jMGEGGypRM8G0kpfBpGFYu9Hy8hpFKDwnihfk/XnuaXBLiN82V8vVWGrl
tc5DrTHCxVbVW99W7IaVVLgY/D0kFI/195yYYMsCgYBGTIUBmTs+JLD6GJDs6IF8
pUkoW/8Md5NJAq3w4AvHPvxvr9c2NwPpQ7/+WbIOOpdtAZA1r8q784aOweTvEHvk
5rcyIlOb31GxIClSrHxYs4k/F29gxw6zAFJw59/+go90632IAmtyLlfEXjsbOZOt
oGC687rshvBYMzO6eqBySQKBgQCDG95x9Ql+J4SLE7br91PD0RXQc1587UWRtkRV
kuQv5PV2w/v5/YIehFt9DFmZhSXxZ/PmXHxqvuUKt4BP1XBdeQ6TGLrZVrScavJR
iSb9eLTVQYx5OV9X00B5hTW0PYWpC5esxwSmA3iIrM6n46dp9DarExkyuWs20NFA
W1z8qQKBgGD2XiB/N9QRVNW0CpuVgWx3HBllJpXT2QMeCx57AEeCmOnSkByyvYmR
Aszu2CQn2ynHO+3B46uJ+Sg2pmcEjvUrhERhRT23lpZY8VDGpfVjfQcqfVhwzrHQ
Y2kf6WV+C32klQ6bKOwwO9TavvKCloiENJfbRdLvGvswBVgnWlGW
-----END RSA PRIVATE KEY-----
客户端证书
leo@leo-VirtualBox:~/development/pki-client$ cat admin.crt
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMRIwEAYKCZImiZPyLGQB
GRYCS1oxGDAWBgoJkiaJk/IsZAEZFghSQUlMV0FZUzEUMBIGCgmSJomT8ixkARkW
BFJFTVMxCzAJBgNVBAMTAkNBMB4XDTEyMTIyODIyNTI1MFoXDTE3MTIyNzIyNTI1
MFowbjESMBAGCgmSJomT8ixkARkWAktaMRgwFgYKCZImiZPyLGQBGRYIUkFJTFdB
WVMxFDASBgoJkiaJk/IsZAEZFgRSRU1TMSgwEgYDVQQDEwtMZW8gVHJ1YmFjaDAS
BgoJkiaJk/IsZAEBEwRBMDAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdNggw/D70jEfc7
dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrgEtRLyFFv3OB1
sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qoLl7aBIpbugFe
w6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2XUUMOqi+/jFm
iXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi/JR8dsm985c5
KPLIxWVGK0VKC67catEY5j/70wIDAQABoz8wPTAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIC/DAdBgNVHQ4EFgQUbmKGUje1HCUQVd//jZjJmgYJ2mswDQYJKoZI
hvcNAQEFBQADggEBALJEtadF5zPh6pJzj0c2vLISnZ4jBi6aaCOvz1Ph2gFrI9te
mvXVnlFLe7JJxStDlLurQ+hLqY9Q8vIczAEp2r9uJyfBpeHsc0YP6UbOXg6WLHLl
fU0tKb9PqfcMwfKUH8Nb6Q6Kt5EuQzIraYweXHNyOiKSB3ZogjPVdZnoe5gXYUpG
5cE8k2SjGVEWxc94ygcbiN+ziaUz/jos+TwqgsBp+yel0frO3DKGqQjfuOLgeTpf
xaNlPXdzFfEn0VWva36skrRzHNwZESI/Dd626eyUfxuTLLq5+Gb1D8WZj5RRqu1n
I9cZs9gCmZswWQy2/cExRPhgSWbwUWOhOCQsFVo=
-----END CERTIFICATE-----
Python代码:
leo@leo-VirtualBox:~/development/pki-client$ cat httpstest.py
from httplib import HTTPSConnection
from config import ADMIN_CERT, ADMIN_KEY
h = HTTPSConnection(
'ca.cloud.leotr.org', 443, key_file=ADMIN_KEY, cert_file=ADMIN_CERT)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
print(resp.read())
输出:
leo@leo-VirtualBox:~/development/pki-client$ python httpstest.py
400
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>
让我们尝试更多级别的 Python 代码
leo@leo-VirtualBox:~/development/pki-client$ cat ssltest.py
from config import ADMIN_CERT, ADMIN_KEY
import socket
import ssl
sock = socket.create_connection(('ca.cloud.leotr.org', 443), None)
print('Admin key: ', ADMIN_KEY)
print('Admin cert', ADMIN_CERT)
sslsock = ssl.wrap_socket(
sock, keyfile=ADMIN_KEY, certfile=ADMIN_CERT)
request = ('GET / HTTP/1.1',
'Host: ca.cloud.leotr.org',
'Accept: text/html',
'Accept-Encoding: gzip,deflate,sdch')
request_body = '\n'.join(request) + '\n'*2
sslsock.write(request_body)
response = sslsock.read()
print response
Python 结果
leo@leo-VirtualBox:~/development/pki-client$ python ssltest.py
('Admin key: ', 'admin.privkey.pem')
('Admin cert', 'admin.crt')
HTTP/1.1 400 Bad Request
Server: nginx/1.1.19
Date: Fri, 04 Jan 2013 04:59:52 GMT
Content-Type: text/html
Content-Length: 231
Connection: close
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>
所以我不明白哪里出了问题。
最佳答案
这里的问题是您正在尝试连接到不在默认 CA 列表中的 CA。由于 CA 站点的证书由 CA 签名,因此在您首先下载并安装证书之前,无法通过 SSL 访问该站点。
HTML 结果显示有“下载 CA 根证书并将其安装到您的浏览器”的说明。如果您不这样做,您的浏览器会收到类似以下内容的错误消息:
Safari can't verify the identity of the website "ca.cloud.leotr.org".
The certificate for this website is invalid. You might be connecting to a website that is pretending to be "ca.cloud.leotr.org", which could put your confidential information at risk. Would you like to connection to the website anyway?
同样,如果您尝试使用 curl,您会得到同样的错误:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
这对 curl 起作用的唯一原因是您指定了 -k 标志,又名 --insecure。从手册页:
-k, --insecure
(SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used.
See this online resource for further details:
http://curl.haxx.se/docs/sslcerts.html
同样,在您的 Python 代码中,您遇到了同样的错误。
在所有三种情况下,解决方案都是相同的:下载 CA 的证书并将其放入您的证书存储区(或明确使用它代替您的默认证书存储区)。
关于python - 无法使用 python HTTPSConnection() 连接到 Web 服务器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14151425/