Python ssl 套接字服务器 SSLV3_ALERT_CERTIFICATE_UNKNOWN 问题
[英]Python ssl socket server SSLV3_ALERT_CERTIFICATE_UNKNOWN issue
问题描述
I am writing a python socket server with ssl and I am encountering certificate unknown error during ssl handshake.
我正在使用 ssl 编写 python 套接字服务器,并且在 ssl 握手期间遇到证书未知错误。
I have created private key and certificate with openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes command on my own.我自己使用openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes命令创建了私钥和证书。
This server is intended to run in intranet(under wifi) in my PC, and users will contact my PC IPaddress with their browser.该服务器旨在在我的 PC 中的 Intranet(在 wifi 下)运行,用户将通过他们的浏览器联系我的 PC IP 地址。 Hence I have not registered this certificate with any CA.因此,我没有向任何 CA 注册此证书。 and I don't think its mandatory in my case.而且我认为在我的情况下它不是强制性的。
Below more details..下面有更多细节..
echoserver.py回声服务器.py
import socket
import ssl
import threading
class echoserver:
def __init__(self,i,p):
self.ip=i
self.port=p
def handler(self,c,a):
msg=c.recv(1024)
c.send(msg)
def serve(self):
echoserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
echoserver = ssl.wrap_socket(echoserver, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
echoserver.bind((self.ip, self.port))
echoserver.listen()
while True:
(c,a)=echoserver.accept()
threading.Thread(target=self.handler, args=(c,a)).start()
es=echoserver('192.168.43.124',443) #My PC's ip assigned under wifi network
es.serve()
#Connecting from mobile phone within same network as https://192.163.43.124
Error in server during ssl handshake ssl 握手期间服务器出错
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1108)
What I tried我试过的
- Adding cert_reqs=ssl.CERT_NONE and ca_certs="/location/to/keys" parameters in wrap_socket function.在 wrap_socket function 中添加 cert_reqs=ssl.CERT_NONE 和 ca_certs="/location/to/keys" 参数。
Doesn't seems to work.似乎不起作用。 I assume these options are for client side.我假设这些选项是针对客户端的。 - Adding do_handshake_on_connect=False in wrap_socket function在 wrap_socket function 中添加 do_handshake_on_connect=False
In Chrome, When connected server throws same error and thread/connection closed with exception.在 Chrome 中,当连接的服务器抛出相同的错误并且线程/连接异常关闭时。 and chrome seems to send same connection request immediately again , and the second request works flawlessly.!.并且chrome 似乎再次立即发送相同的连接请求,并且第二个请求完美无缺。!。
In firefox, First connection closed with same error and there is no second request.在 firefox 中,第一个连接以同样的错误关闭,并且没有第二个请求。 - Assigning common name in certificate same as IP address在证书中分配与 IP 地址相同的公用名
Not working.不工作。 - Checked certificate_unknown error in ietf specification here .在此处检查 ietf 规范中的 certificate_unknown 错误。 It gives no clue except this explanation
certificate_unknown: Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.除了这个解释之外,它没有给出任何线索certificate_unknown: Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.
One other thing I noted is , if I use built-in ThreadedHTTPServer in the same way as below, It works beautifully, without any issues I mentioned above.我注意到的另一件事是,如果我以与下面相同的方式使用内置的ThreadedHTTPServer ,它工作得很好,没有我上面提到的任何问题。
httpd = self.ThreadedHTTPServer((self.ip, self.port), self.handler)
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
I am not sure why this happens and how should I proceed with this.我不确定为什么会发生这种情况以及我应该如何进行。 and not sure how built-in server modules works fine.并且不确定内置服务器模块如何正常工作。
Appreciate any leads.欣赏任何线索。 Thanks.谢谢。
Below Python builtin HTTPServer works fine with ssl, not showing any error.下面 Python 内置 HTTPServer 与 ssl 一起正常工作,没有显示任何错误。 Not sure how?不知道怎么做?
import ssl
from http.server import HTTPServer, BaseHTTPRequestHandler
class requesthandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-type","text/html")
self.end_headers()
self.wfile.write("<html><body>It works</body></html>".encode('utf8'))
httpd = HTTPServer(('192.168.43.124', 443), requesthandler)
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
httpd.serve_forever()
1 个解决方案
解决方案1
3 已采纳 2020-06-22 15:47:35
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1108)
This means the client (browser) does not trust your certificate since it is issued by an unknown entity.这意味着客户端(浏览器)不信任您的证书,因为它是由未知实体颁发的。 If you want to use self-signed certificates you have to explicitly import these as trusted for all clients you want to use.如果您想使用自签名证书,您必须明确将这些证书导入为您要使用的所有客户端的受信任证书。
There is no way around this.没有办法解决这个问题。 The certificate in TLS is to make sure that the connection is done with the expected server and not some man in the middle claiming to be the expected server. TLS 中的证书是为了确保连接是通过预期的服务器完成的,而不是中间的某个人声称是预期的服务器。 If a client would trust arbitrary certificates then it would also trust certificates created by a man in the middle attacker.如果客户端信任任意证书,那么它也会信任中间攻击者创建的证书。
Below Python builtin HTTPServer works fine with ssl, not showing any error.
The browser will still complain.浏览器仍然会抱怨。 The only difference is that the server captures the exception and thus will not crash but continue.唯一的区别是服务器捕获了异常,因此不会崩溃而是继续。 You can do the same in your code:您可以在代码中执行相同的操作:
while True:
try:
(c,a)=echoserver.accept()
threading.Thread(target=self.handler, args=(c,a)).start()
except:
pass # ignore error
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.