python的ssl.get_server_certificate安全吗?
[英]Is python's ssl.get_server_certificate safe?
问题描述
More specifically, if I run the following code: 
更具体地说,如果我运行以下代码:
import ssl
cert = """-----BEGIN CERTIFICATE-----
MIIF0zCCBTygAwIBAgIKQ8cwCQAAAABhvzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjA2MjcxMzU4MzBaFw0xMzA2MDcxOTQzMjda
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv
b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALDYfDe83LlAxJ3T
+IwJLyXBmT2WcSTY2asm3q8Yl9EaUGmu0enmWkwUyiL7HybwTAZXFccanuEvI3+B
e5SMvv8Nj1/HHH2XvsP6wNnPuN9R9aaFLTdFrUVtPqbIXyaJVkUKEnxeBbOKgliD
I11FQL3Xj3Ktd09atKZJVpPT61QLAgMBAAGjggOmMIIDojAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOJAaGs7fvzmsw8gpn/NASXlHJLR
MB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBO
oEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3Jp
dHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBW
BggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5l
dEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0TAQH/
BAIwADCCAmwGA1UdEQSCAmMwggJfggwqLmdvb2dsZS5jb22CCmdvb2dsZS5jb22C
DSoueW91dHViZS5jb22CC3lvdXR1YmUuY29tghYqLnlvdXR1YmUtbm9jb29raWUu
Y29tggh5b3V0dS5iZYILKi55dGltZy5jb22CDyouZ29vZ2xlLmNvbS5icoIOKi5n
b29nbGUuY28uaW6CCyouZ29vZ2xlLmVzgg4qLmdvb2dsZS5jby51a4ILKi5nb29n
bGUuY2GCCyouZ29vZ2xlLmZyggsqLmdvb2dsZS5wdIILKi5nb29nbGUuaXSCCyou
Z29vZ2xlLmRlggsqLmdvb2dsZS5jbIILKi5nb29nbGUucGyCCyouZ29vZ2xlLm5s
gg8qLmdvb2dsZS5jb20uYXWCDiouZ29vZ2xlLmNvLmpwggsqLmdvb2dsZS5odYIP
Ki5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5j
b4IPKi5nb29nbGUuY29tLnZugg8qLmdvb2dsZS5jb20udHKCDSouYW5kcm9pZC5j
b22CC2FuZHJvaWQuY29tghQqLmdvb2dsZWNvbW1lcmNlLmNvbYISZ29vZ2xlY29t
bWVyY2UuY29tghAqLnVybC5nb29nbGUuY29tggwqLnVyY2hpbi5jb22CCnVyY2hp
bi5jb22CFiouZ29vZ2xlLWFuYWx5dGljcy5jb22CFGdvb2dsZS1hbmFseXRpY3Mu
Y29tghIqLmNsb3VkLmdvb2dsZS5jb22CBmdvby5nbIIEZy5jb4INKi5nc3RhdGlj
LmNvbTANBgkqhkiG9w0BAQUFAAOBgQB9KkvLwBX4q9xjOt6T3xDYiiI3TrFI73us
xE/ZbvW4v8Bd+rcWMrmt25th1KHZd9Lobxt+nAK8+5J32ViEWl00p6E2tgNNUvpI
HfNRecBebuU9B2wmCDYWavqkifCiH8EkCu3roXZjoSvKIvq1NW10YF0CaDSEtd/Z
RdMdo5TaEA==
-----END CERTIFICATE-----
"""
if cert == ssl.get_server_certificate(('google.com',443)):
print "Valid"
else:
print "Invalid"
where cert is the text gained by running ssl.get_server_certificate(('google.com',443)) previously. cert是通过ssl.get_server_certificate(('google.com',443))运行ssl.get_server_certificate(('google.com',443))获得的文本。
I want to know if it is safe to assume that this code will validate that I am connecting to a server with the same certificate as before. 我想知道是否可以安全地假定此代码将验证我是否使用与以前相同的证书连接到服务器。
Or is it possible to spoof that certificate? 还是有可能欺骗该证书?
Note that I don't care about the common name on the certificate. 请注意,我不在乎证书上的通用名称。
1 个解决方案
解决方案1
1 已采纳 2012-07-19 05:23:31
Considering what I read from the docs , I can see that this might not be completely safe. 考虑到我从文档中读取的内容,我可以看到这可能并不完全安全。 You need to specify the list of root certificates using ca_certs as a parameter. 您需要使用ca_certs作为参数来指定根证书列表。 Then, the ssl module will take care of the verification process for you. 然后, ssl模块将为您完成验证过程。
Some of the problems with your method might be: 您的方法存在的一些问题可能是:
- Every certificate has
notBeforeandnotAfterfields.每个证书都有notBefore和notAfter字段。 We should alway check to make sure the current date is between these two values.我们应该始终检查以确保当前日期在这两个值之间。 Your code does not do that verification which is not recommended. 您的代码不执行不建议的验证。 - Say, the web server begins to use another CA for its certificates. 说,Web服务器开始使用另一个CA为其证书。 Then, your code will result in a false positive and you lose functionality in this case. 然后,您的代码将导致误报,并且在这种情况下您将失去功能。
- In case any CA gets revoked, there is no way for your code to handle this. 如果任何CA被吊销,您的代码将无法处理此问题。
So, I think it is best to let the ssl module handle the verification process instead of us meddling with it. 因此,我认为最好让ssl模块处理验证过程,而不是让我们干预它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.