[英]how to setup a aiohttp https server and client?
I'm trying to learn how I might secure data from being altered after being passed over an open.network between a server and a worker我正在尝试了解如何保护数据在服务器和工作人员之间通过 open.network 传递后不被更改
in my head I was thinking that it should follow something like:在我的脑海里,我认为它应该遵循以下内容:
|server|---send_job----->|worker|
| |<--send_results--| |
| | | |
| |-send_kill_req-->| |
obviously I don't want someone altering my send_job
to do something nefarious, and I don't want someone to be peeking at my results.显然我不希望有人改变我的
send_job
来做一些邪恶的事情,我也不希望有人偷看我的结果。
so I have a super simple aiohttp
client/server setup that I'm trying to implement ssl
into but I'm completely lost.所以我有一个超级简单的
aiohttp
客户端/服务器设置,我正在尝试将ssl
实现到其中,但我完全迷路了。
below is the most basic stuff I've tried, but I've also tried implementing my own ssl certificates via:下面是我尝试过的最基本的东西,但我也尝试通过以下方式实现我自己的 ssl 证书:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout domain_srv.key -out domain_srv.crt
along with following the documentation but I'm still never able to get
any response at all.以及遵循文档,但我仍然无法
get
任何回应。
How would I properly implement the ssl_context
to get this to work?!我将如何正确实施
ssl_context
才能使其正常工作?!
server.py
from aiohttp import web
import msgpack
import ssl
async def handle(request):
name = request.match_info.get('name', "Anonymous")
text = "Hello, " + name
return web.Response(text=text)
app = web.Application()
app.add_routes([web.get('/', handle),
web.get('/{name}', handle)])
ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
web.run_app(app, ssl_context=ssl_context)
client.py
import aiohttp import asyncio import ssl client.py
导入 aiohttp 导入 asyncio 导入 ssl
async def main():
sslcontext = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
async with aiohttp.ClientSession() as session:
async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
html = await response.read()
print(html)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
python3 server.py
in one windowpython3 server.py
python3 client.py
in another windowpython3 client.py
I then end up usually with something like:然后我通常会得到类似的东西:
Traceback (most recent call last):
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 822, in _wrap_create_connection
return await self._loop.create_connection(*args, **kwargs)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 804, in create_connection
sock, protocol_factory, ssl, server_hostname)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 830, in _create_connection_transport
yield from waiter
ConnectionResetError
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "client.py", line 14, in <module>
loop.run_until_complete(main())
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 468, in run_until_complete
return future.result()
File "client.py", line 9, in main
async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 843, in __aenter__
self._resp = await self._coro
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 366, in _request
timeout=timeout
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 445, in connect
proto = await self._create_connection(req, traces, timeout)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 757, in _create_connection
req, traces, timeout)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 879, in _create_direct_connection
raise last_exc
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 862, in _create_direct_connection
req=req, client_error=client_error)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 829, in _wrap_create_connection
raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 0.0.0.0:8443 ssl:<ssl.SSLContext object at 0x7fe4800d2278> [None]
This was a two part problem,这是一个两部分的问题,
I had no idea what I was doing with openssl, the requests library helped me figure this out!我不知道我在用 openssl 做什么,请求库帮助我解决了这个问题!
import requests requests.get("https://0.0.0.0:8443", verify="domain_srv.crt") SSLError: HTTPSConnectionPool(host='0.0.0.0', port=8443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '0.0.0.0' doesn't match None",),))
As it turns out, those lines I just made default when making my openssl certificates actually mattered.事实证明,我在制作 openssl 证书时默认设置的那些行实际上很重要。 A slightly more correct (but probably still wrong) config similar to
稍微更正确(但可能仍然错误)的配置类似于
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Inte.net Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg server FQDN or YOUR name) []:0.0.0.0 Email Address []:.
led me to the result:让我得到了结果:
import requests requests.get("https://0.0.0.0:8443", verify="domain_srv.crt") SubjectAltNameWarning: Certificate for 0.0.0.0 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
It would appear that 'subjectAltName' is something a little more difficult to add, requiring a lot more work than a simple command, you'll want to follow a guide like this , I will try it and see if that error goes away. “subjectAltName”似乎有点难以添加,需要比简单命令更多的工作,您需要遵循这样的指南,我会尝试一下,看看该错误是否消失。
I think I was using ssl.Purpose.CLIENT/SERVER_AUTH
wrongly, as @Andrej mentioned, I switched that around (as I will show below) and made a few other changes and now I am getting the correct responses.我想我错误地使用
ssl.Purpose.CLIENT/SERVER_AUTH
,正如@Andrej 提到的那样,我将其切换(如下所示)并进行了一些其他更改,现在我得到了正确的响应。 I'll just say that, I definitely still don't understand ssl.Purpose
but at least I have something that I can work with for now, and hopefully I'll figure out the rest in time.我只想说,我肯定还是不明白
ssl.Purpose
但至少我现在有一些可以使用的东西,希望我能及时弄清楚 rest。
client.py
import aiohttp import asyncio import ssl async def main(): sslcontext = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile='domain_srv.crt') async with aiohttp.ClientSession() as session: async with session.get("https://0.0.0.0:8443/JOHNYY", ssl=sslcontext) as response: html = await response.read() print(html) loop = asyncio.get_event_loop() loop.run_until_complete(main())
server.py
from aiohttp import web import ssl async def handle(request): name = request.match_info.get('name', "Anonymous") text = "Hello, " + name return web.Response(text=text) app = web.Application() app.add_routes([web.get('/', handle), web.get('/{name}', handle)]) ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key') web.run_app(app, ssl_context=ssl_context)
commandline
>python3 server.py # Switch to a new window/pane >python3 client.py b'Hello, JOHNYY'
EDIT : I just wanted to post an update for anyone that's working on this type of problem.编辑:我只想为正在处理此类问题的任何人发布更新。 I think that using the python cryptography library is a nicer way of generating the crt/key files so if you're interested feel free to use/modify this template (I make no promise that these are best practices):
我认为使用 python 加密库是生成 crt/密钥文件的更好方法,因此如果您有兴趣,请随意使用/修改此模板(我没有 promise,这些是最佳实践):
#!/usr/bin/env python
"""
stuff for network security
"""
import socket
import datetime
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import attr
@attr.s(auto_attribs=True)
class Netsec:
hostname: str = attr.Factory(socket.gethostname)
out_file_name: str = "domain_srv"
def generate_netsec(self):
# GENERATE KEY
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
with open(f"{self.out_file_name}.key", "wb") as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Wala Wala"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"A place"),
x509.NameAttribute(NameOID.COMMON_NAME, self.hostname),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
# Our certificate will be valid for 5 years
datetime.datetime.utcnow() + datetime.timedelta(days=365*5)
).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(u"localhost"),
x509.DNSName(self.hostname),
x509.DNSName(u"127.0.0.1")]),
critical=False,
# Sign our certificate with our private key
).sign(key, hashes.SHA256(), default_backend())
with open(f"{self.out_file_name}.crt", "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
You are creating the certificates but not loading them to the SSL chain.您正在创建证书但未将它们加载到 SSL 链。 And change your ssl_context creation from
ssl.Purpose.SERVER_AUTH
to ssl.Purpose.CLIENT_AUTH
:并将您的 ssl_context 创建从
ssl.Purpose.SERVER_AUTH
为ssl.Purpose.CLIENT_AUTH
:
from aiohttp import web
import ssl
async def handle(request):
name = request.match_info.get('name', "Anonymous")
text = "Hello, " + name
return web.Response(text=text)
app = web.Application()
app.add_routes([web.get('/', handle),
web.get('/{name}', handle)])
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')
web.run_app(app, ssl_context=ssl_context)
When you run your server, the client will print upon connection:当您运行服务器时,客户端将在连接时打印:
b'Hello, Anonymous'
Maybe useful for beginners like myself: If you run across the "IP address mismatch, certificate is not valid for..' problem after implementing the above solution, search for how to create a self signed certificate for IP addresses with alternative names.可能对像我这样的初学者有用:如果您在实施上述解决方案后遇到“IP 地址不匹配,证书对...无效”问题,请搜索如何使用替代名称为 IP 地址创建自签名证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.