为什么 SSL 包装的套接字需要“server_hostname”?
[英]Why is `server_hostname` required for an SSL-wrapped socket?
问题描述
I'm writing some Python code that needs to communicate with a remote host via a TLS connection.
我正在编写一些需要通过 TLS 连接与远程主机通信的 Python 代码。 I set up an SSL context like this:我设置了一个 SSL 上下文,如下所示:
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
cxt.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
Then, I connected to domain d over port p like this:然后,我通过端口p连接到域d ,如下所示:
s = ctx.wrap_socket(socket.create_connection(d, p))
I was met with a protocol violation on an unexpected EOF.我在意外的 EOF 上遇到了协议违规。 The fix was to create the socket like this:解决方法是像这样创建套接字:
s = ctx.wrap_socket(socket.create_connection(d, p), server_hostname=d)
As I know next to nothing about TLS, this is pretty confusing.正如我对 TLS 几乎一无所知,这非常令人困惑。 Why would the server hostname be required for a successful connection?为什么成功连接需要服务器主机名?
If it matters, I tested a connection to domain d = 'drewdevault.com' on port p = 1965 ;如果重要的话,我在端口p = 1965上测试了与域d = 'drewdevault.com'的连接; I'm writing a Gemini client.我正在写一个 Gemini 客户端。 This was not reproducible with all remote hosts.这在所有远程主机上都无法重现。
1 个解决方案
解决方案1
0 已采纳 2021-12-25 08:21:16
The server_hostname argument will be used in the TLS handshake to provide the server with the expected hostname. server_hostname参数将在 TLS 握手中用于为服务器提供预期的主机名。 It is not strictly required in TLS, but it is needed one servers which have multiple certificates for different domain but on the same IP address. TLS 中没有严格要求,但需要一台服务器具有不同域的多个证书,但在相同的 IP 地址上。 Without this information the server does not know which certificate to provide to the client.如果没有此信息,服务器将不知道向客户端提供哪个证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.