具有STARTTLS和身份验证的Python Twisted TLS连接-示例代码错误?
[英]Python Twisted TLS connection with STARTTLS and authentication - error in example code?
问题描述
I've been trying to create a simple python twisted TLS client/server application based on https://twistedmatrix.com/documents/14.0.0/core/howto/ssl.html#client-authentication and https://twistedmatrix.com/documents/14.0.0/core/howto/ssl.html#using-starttls . 
我一直在尝试基于https://twistedmatrix.com/documents/14.0.0/core/howto/ssl.html#client-authentication和https:// twistedmatrix创建一个简单的python扭曲TLS客户端/服务器应用程序。 com / documents / 14.0.0 / core / howto / ssl.html#using-starttls 。 Ie, I want to create a plain text connection, then on client issue of a STARTTLS command, switch to a secure connection, with the appropriate certificate authentication. 即,我想创建一个纯文本连接,然后在客户端发出STARTTLS命令时,使用适当的证书身份验证切换到安全连接。 So far, I've had little joy. 到目前为止,我几乎没有高兴。
My first concern is the client auth example in the URL above is wrong. 我首先关心的是上面URL中的客户端身份验证示例错误。 This seems to suggest the client and server both need "server.pem" (private key and self-signed certificate together) and "public.pem" (the server's public certificate by itself). 这似乎表明客户端和服务器都需要“ server.pem”(私钥和自签名证书一起)和“ public.pem”(服务器本身的公共证书)。 My understanding of authentication is that if the client has the server's private key, then this renders the authentication / security largely redundant? 我对身份验证的理解是,如果客户端具有服务器的私钥,那么这将使身份验证/安全性在很大程度上冗余吗? Assuming I'm right, how should this example look? 假设我是对的,这个例子应该看起来如何?
Secondly, as much as I've tried - I'm still struggling to get my head around the way Twisted works generally. 其次,尽我所能-我仍在努力扭转Twisted的工作方式。 Can someone give some illustration to how amend the starttls example in the URL above to incorporate authentication? 有人可以说明一下如何修改上面URL中的starttls示例以合并身份验证吗?
Thanks! 谢谢!
1 个解决方案
解决方案1
1 已采纳 2014-09-29 14:36:59
My first concern is the client auth example in the URL above is wrong.
The URL you linked to is the "Client Authentication" section of the TLS documentation. 链接到的URL是TLS文档的“客户端身份验证”部分。 It is demonstrating how you use a client-side certificate to authenticate the client to the server (note that what is common with TLS - HTTPS - is to authenticate the server to the client). 它说明了如何使用客户端证书对服务器进行客户端身份验证(请注意,TLS-HTTPS-的常见功能是对服务器进行客户端身份验证)。
In the case of client authentication, the client does indeed need a private key and a certificate (self-signed or otherwise). 在客户端身份验证的情况下,客户端确实确实需要私钥和证书(自签名或其他)。 This parallels the requirement that in "normal" TLS (where only the server authenticates itself to the client) the server must have a private key and a certificate (self-signed or otherwise). 这与“普通” TLS(仅服务器向客户端进行身份验证)中的服务器必须具有私钥和证书(自签名或其他方式)的要求相似。
The client does not need the server's private key, though. 但是,客户端不需要服务器的私钥。 It needs its own. 它需要自己的。 (Actually, it will work if both sides have the same key, but this isn't the typical case.) (实际上,如果双方具有相同的密钥,它将起作用,但这不是典型的情况。)
Secondly, as much as I've tried - I'm still struggling to get my head around the way Twisted works generally.
What kind of authentication do you want? 您想要哪种身份验证? If you're doing TLS client authentication, then that is a form of authentication. 如果您正在执行TLS客户端身份验证,则这是身份验证的一种形式。 If that is sufficient, you just need to configure your server properly. 如果这足够了,您只需要正确配置服务器即可。 The same certificate validation logic that clients normally do for the server certificate presented is done - but in the opposite direction - when you use a client certificate. 当您使用客户端证书时,已经完成了客户端通常对呈现的服务器证书执行的相同证书验证逻辑,但方向相反。 The server looks for a chain if valid signatures from the certificate to one of its trust roots. 如果从证书到其信任根之一的有效签名,服务器将寻找一条链。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.