[英]Python ssl socket server SSLV3_ALERT_CERTIFICATE_UNKNOWN issue
I am writing a python socket server with ssl and I am encountering certificate unknown error during ssl handshake.我正在使用 ssl 编写 python 套接字服务器,并且在 ssl 握手期间遇到证书未知错误。
I have created private key and certificate with openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
command on my own.我自己使用
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
命令创建了私钥和证书。
This server is intended to run in intranet(under wifi) in my PC, and users will contact my PC IPaddress with their browser.该服务器旨在在我的 PC 中的 Intranet(在 wifi 下)运行,用户将通过他们的浏览器联系我的 PC IP 地址。 Hence I have not registered this certificate with any CA.
因此,我没有向任何 CA 注册此证书。 and I don't think its mandatory in my case.
而且我认为在我的情况下它不是强制性的。
Below more details..下面有更多细节..
echoserver.py回声服务器.py
import socket
import ssl
import threading
class echoserver:
def __init__(self,i,p):
self.ip=i
self.port=p
def handler(self,c,a):
msg=c.recv(1024)
c.send(msg)
def serve(self):
echoserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
echoserver = ssl.wrap_socket(echoserver, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
echoserver.bind((self.ip, self.port))
echoserver.listen()
while True:
(c,a)=echoserver.accept()
threading.Thread(target=self.handler, args=(c,a)).start()
es=echoserver('192.168.43.124',443) #My PC's ip assigned under wifi network
es.serve()
#Connecting from mobile phone within same network as https://192.163.43.124
Error in server during ssl handshake ssl 握手期间服务器出错
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1108)
What I tried我试过的
certificate_unknown: Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.
certificate_unknown: Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.
One other thing I noted is , if I use built-in ThreadedHTTPServer
in the same way as below, It works beautifully, without any issues I mentioned above.我注意到的另一件事是,如果我以与下面相同的方式使用内置的
ThreadedHTTPServer
,它工作得很好,没有我上面提到的任何问题。
httpd = self.ThreadedHTTPServer((self.ip, self.port), self.handler)
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
I am not sure why this happens and how should I proceed with this.我不确定为什么会发生这种情况以及我应该如何进行。 and not sure how built-in server modules works fine.
并且不确定内置服务器模块如何正常工作。
Appreciate any leads.欣赏任何线索。 Thanks.
谢谢。
Below Python builtin HTTPServer works fine with ssl, not showing any error.下面 Python 内置 HTTPServer 与 ssl 一起正常工作,没有显示任何错误。 Not sure how?
不知道怎么做?
import ssl
from http.server import HTTPServer, BaseHTTPRequestHandler
class requesthandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-type","text/html")
self.end_headers()
self.wfile.write("<html><body>It works</body></html>".encode('utf8'))
httpd = HTTPServer(('192.168.43.124', 443), requesthandler)
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
httpd.serve_forever()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1108)
This means the client (browser) does not trust your certificate since it is issued by an unknown entity.这意味着客户端(浏览器)不信任您的证书,因为它是由未知实体颁发的。 If you want to use self-signed certificates you have to explicitly import these as trusted for all clients you want to use.
如果您想使用自签名证书,您必须明确将这些证书导入为您要使用的所有客户端的受信任证书。
There is no way around this.没有办法解决这个问题。 The certificate in TLS is to make sure that the connection is done with the expected server and not some man in the middle claiming to be the expected server.
TLS 中的证书是为了确保连接是通过预期的服务器完成的,而不是中间的某个人声称是预期的服务器。 If a client would trust arbitrary certificates then it would also trust certificates created by a man in the middle attacker.
如果客户端信任任意证书,那么它也会信任中间攻击者创建的证书。
Below Python builtin HTTPServer works fine with ssl, not showing any error.
下面 Python 内置 HTTPServer 与 ssl 一起正常工作,没有显示任何错误。 Not sure how?
不知道怎么做?
The browser will still complain.浏览器仍然会抱怨。 The only difference is that the server captures the exception and thus will not crash but continue.
唯一的区别是服务器捕获了异常,因此不会崩溃而是继续。 You can do the same in your code:
您可以在代码中执行相同的操作:
while True:
try:
(c,a)=echoserver.accept()
threading.Thread(target=self.handler, args=(c,a)).start()
except:
pass # ignore error
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.