堆栈内存溢出
  简体   繁体   English

如何验证双绞线SSL客户端中的SSL服务器证书

[英]How to validate the SSL server certificate in twisted SSL client

 原文  2013-02-22 14:36:13       python/ ssl/ ssl-certificate/ twisted

问题描述

How do I validate the SSL server certificates in my twisted SSL client? 如何在我的双绞线SSL客户端中验证SSL服务器证书?

I am very much beginner to the SSL, I have gone through the twisted SSL tutorials but still I am unclear about some things. 我非常熟悉SSL,我已经完成了扭曲的SSL教程,但我仍然不清楚某些事情。

My queries are: 我的疑问是:

  • How should I validate the SSL server certificate using twisted.internet.ssl module, 我应该如何使用twisted.internet.ssl模块验证SSL服务器证书,

  • How ssl.ClientContextFactory.getContext method is useful while dealing with SSL, 在处理SSL时, ssl.ClientContextFactory.getContext方法如何有用,

  • How can I tell twisted SSL client about the location of the public key file? 如何告知扭曲的SSL客户端公钥文件的位置?

1 个解决方案

解决方案1
 4 已采纳  2013-02-27 02:42:03

Since Twisted 14.0, optionsForClientTLS is the best way to do this: 从Twisted 14.0开始, optionsForClientTLS是执行此操作的最佳方法: 

from twisted.internet.ssl import optionsForClientTLS
from twisted.internet.endpoints import SSL4ClientEndpoint

ctx = optionsForClientTLS(hostname=u"example.com")
endpoint = SSL4ClientEndpoint(reactor, host, port, ctx)
factory = ...
d = endpoint.connect(factory)
...

optionsForClientTLS takes other (optional) arguments as well which may also be useful. optionsForClientTLS采用其他(可选)参数,这也可能有用。

Prior to Twisted 14.0, the process was a bit more involved: 在Twisted 14.0之前,该过程涉及更多:

After the connection is established and the SSL handshake has completed successfully (which means the certificate is currently valid based on its notBefore and notAfter values and that it is signed by a certificate authority certificate which you have indicated is trusted) you can get the certificate from the transport: 建立连接并且SSL握手成功完成后(这意味着证书当前基于其notBeforenotAfter值有效,并且它由您指示的证书颁发机构证书签名是可信的),您可以从中获取证书运输: 

certificate = self.transport.getPeerCertificate()

The certificate is represented as a pyOpenSSL X509 instance. 证书表示为pyOpenSSL X509实例。 It has a method you can use to retrieve the certificate's subject name: 它有一个方法可用于检索证书的主题名称: 

subject_name = certificate.get_subject()

The subject name is a distinguished name, represented as a pyOpenSSL X509Name instance. 主题名称是可分辨名称,表示为pyOpenSSL X509Name实例。 You can inspect its fields: 您可以检查其字段: 

common_name = subject_name.commonName

This is a string, for example "example.com" . 这是一个字符串,例如"example.com"

If you need to inspect the subjectAltName instead (which it's likely you do), then you can find this information in the extensions of the certificate: 如果您需要检查subjectAltName (您可能会这样做),那么您可以在证书的扩展中找到此信息: 

extensions = certificate.get_extensions()

This is a list of pyOpenSSL X509Extension instances. 这是pyOpenSSL X509Extension实例的列表。 You'll have to parse each one to find the subjectAltName and its value. 您必须解析每一个以找到subjectAltName及其值。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在python中验证服务器的SSL证书? - How to validate server's ssl certificate in python? Python Twisted:SSL例程,ssl3_get_server_certificate错误 - Python Twisted : SSL routines , ssl3_get_server_certificate errors Python-SSL客户端/服务器证书 - Python - SSL Client/Server Certificate Python Twisted SSL的证书生成 - Certificate Generation for Python Twisted SSL 如何知道我的服务器是否正在使用SSL(使用Twisted) - How to know if my server is using SSL or not (with Twisted) Python / Twisted程序在Windows下验证SSL证书的正确方法是什么? - What's the right way for a Python/Twisted program to validate an SSL certificate under Windows? 禁用 SSL 证书检查 Twisted Agents - Disable SSL certificate check Twisted Agents 如何向客户端发送ssl证书链 - How to send ssl certificate chain to client Python Selenium - 如何指定在客户端SSL身份验证中使用的客户端证书 - Python Selenium - How to specify a client certificate to use in client SSL authentication 基本的SSL服务器使用扭曲不响应 - Basic SSL Server Using Twisted Not Responding
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM