简体繁体 English

在Python3 SSL中手动验证证书

[英]Manually verify certificates in Python3 ssl

原文 2016-06-08 08:18:10 8 1 python/ python-3.x/ ssl/ certificate

I am developing the client- and server-side of a Python3 application. 我正在开发Python3应用程序的客户端和服务器端。 They must communicate over TLS using self-signed certs. 他们必须使用自签名证书通过TLS进行通信。

The connection should always be established, even if both have never seen the other, thus neither has the other's cert in its trust store. 即使双方从未见过对方，也应该始终建立连接，因此对方的证书都没有在其信任库中。 Verification shall happen after the handshake with a custom method. 验证应在握手后使用自定义方法进行。

However, Python's ssl library attempts to verify the certificate during handshake and this fails if the incoming cert is unknown and has no valid certificate chain. 但是，Python的ssl库尝试在握手过程中验证证书，如果传入的证书未知且没有有效的证书链，则此操作将失败。 Setting verify_mode to CERT_NONE is also not an option, since I do require the certificates from both sides for my custom verification method. 将verify_mode设置为CERT_NONE是一种选择，因为我的定制验证方法确实需要双方的证书。

So my question: How can I require a certificate from the other side but turn off automatic verification during handshake? 所以我的问题是：如何在握手时要求对方提供证书，但又关闭自动验证功能？ Or maybe I can pass a custom verifyer-method that gets called? 或者，也许我可以通过一个被调用的自定义验证程序方法？

Thanks! 谢谢！

1 个解决方案

You can use ssl.get_server_certificate((host,port)) . 您可以使用ssl.get_server_certificate((host,port)) 。 It will return the certificate in PEM format. 它将以PEM格式返回证书。