When I test crl revoke with python ssl and socket
When I try to use the python crl file to check whether the peer certificate is revoked, I consulted the official python documentation, but there was very little. My basic steps:
def tls_check(domain, port):
addr = domain
ctx = ssl.create_default_context()
ctx.options &= ssl.CERT_REQUIRED
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
ctx.check_hostname = False
ctx.load_verify_locations(cafile="/home/linux/CloudBrahma_release/Utils/pre_crl.pem")
sock = ctx.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM), server_hostname=addr)
sock.connect((addr, port))
print("TLS Ceritificate:")
pprint.pprint(sock.getpeercert())
print("TLS Version:", sock.version())
print("TLS Cipher:", sock.cipher()[0])
exit()
tls_check("xxxxx", 8080)
i got this error
Traceback (most recent call last):
File "test.py", line 28, in <module>
tls_check("100.94.2.17", 8443)
File "test.py", line 21, in tls_check
sock.connect((addr, port))
File "/home/linux/py3env/lib/python3.7/ssl.py", line 1150, in connect
self._real_connect(addr, False)
File "/home/linux/py3env/lib/python3.7/ssl.py", line 1141, in _real_connect
self.do_handshake()
File "/home/linux/py3env/lib/python3.7/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
ctx.load_verify_locations(cafile="/home/linux/CloudBrahma_release/Utils/pre_crl.pem")
This is expecting a file with the trusted CA. If you give a file with CRL instead you essentially have no trusted CA. This means it will not be able to find the root CA for a certificate since you have no trusted root CA defined, resulting in
... certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
Instead the given cafile
must include the trusted root CA and additionally the CRL if you want to check for CRL. But granted, this kind of API is strange and the documentation is not really helpful either.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.