Python Twisted SSL的证书生成
[英]Certificate Generation for Python Twisted SSL
问题描述
I am trying to figure out how to setup a SSL link using the Python library Twisted. 
我试图弄清楚如何使用Python库Twisted设置SSL链接。 I have managed to create a certificate that works on the server side, but I am totally stuck when it comes to the client side. 我已经设法创建一个在服务器端工作的证书,但是当涉及到客户端时我完全陷入困境。
The example from the twisted website states: 来自扭曲网站的例子说:
The following examples rely on the files server.pem (private key and self-signed certificate together) and public.pem (the server's public certificate by itself).
I have generated myself a certificate and key using OpenSSL: 我使用OpenSSL生成了自己的证书和密钥:
Generate Private Key:
openssl genrsa -des3 -out certs/server.key 2048
Generate Certificate Signing Request:
openssl req -new -key certs/server.key -sha256 -out certs/server.csr
Generate a Self-Signed Certificate:
openssl x509 -req -days 365 -in certs/server.csr -signkey certs/server.key -sha256 -out certs/server.crt
Convert the CRT to PEM format:
Openssl x509 -in certs/server.crt -out certs/server.pem -outform PEM
For the server-side I am combining certs/server.crt and certs/server.key to create server.pem and trying to use server.crt for public. 对于服务器端,我将certs / server.crt和certs / server.key组合在一起以创建server.pem并尝试将server.crt用于public。
When I try and run my test program using: 当我尝试运行我的测试程序时使用:
certificate = ssl.PrivateCertificate.loadPEM(certData)
I get an error about not starting line. 我得到一个关于不开始行的错误。 Which certificate should I be using for the client if it's not server.crt please? 如果客户端不是server.crt,我应该使用哪个证书?
2 个解决方案
解决方案1
3 已采纳 2019-01-21 19:36:38
When I try and run my test program using:
certificate = ssl.PrivateCertificate.loadPEM(certData) I get an error about not starting line.
This should be ssl.Certificate.LoadPEM(certData) if you look at the example on the Twisted howto page. 如果您查看Twisted howto页面上的示例,这应该是ssl.Certificate.LoadPEM(certData) 。
解决方案2
2 2019-01-25 15:49:23
In case you want to have certificate based authentication for the clients as well: 如果您想要为客户端进行基于证书的身份验证:
I had that issue some time ago and wrote a blog post about my solution. 我前段时间遇到过这个问题并撰写了一篇关于我的解决方案的博文 。 It also contains a guide to create certificates and sign them with an own certificate authority. 它还包含创建证书的指南,并使用自己的证书颁发机构对其进行签名。 You can find the python example code at GitHub . 你可以在GitHub上找到python示例代码。
It uses Twisted for a simple JSONRPCServer with certificate based authentication for both, server as well as for the clients. 它使用Twisted作为简单的JSONRPCServer,基于证书的身份验证,服务器和客户端。
The main thing is to define an own AltCtxFactory for the clients: 主要是为客户端定义一个自己的AltCtxFactory:
# Use our own context factory to use our certificate to authenticate
# against the server and ensure that we are using a strong SSL/TLS
# encryption method
class AltCtxFactory(ssl.ClientContextFactory):
def getContext(self):
# Used TLS/SSL encryption method
sslMethod = SSL.TLSv1_2_METHOD
# Clients private Key, used for authentication
privKey = "<PATH TO YOUR PRIVATE KEY>"
# Clients certificate, used for authentication
certificate = "<PATH TO YOUR CERTIFICATE>"
# Our trusted Certificate Authority for server connections
accepted_ca = "<PATH TO YOUR ACCEPTED CERTIFICATE AUTHORITY>"
self.method = sslMethod
ctx = ssl.ClientContextFactory.getContext(self)
# Ensure that we verify server's certificate and use our own
# verifyCallback method to get further details of invalid certificates
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
verifyCallback)
# Ensure that we only trust our CA
ctx.load_verify_locations(accepted_ca)
# Use our own Callback mehtod if a password is needed to decrypt our
# private key
ctx.set_passwd_cb(password_cb)
# Use our certificate for authentication against server
ctx.use_certificate_file(certificate)
# Use our private key for authentication against server
ctx.use_privatekey_file(privKey)
return ctx
Feel free to use the code in your projects. 随意使用项目中的代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.