[英]Is python's ssl.get_server_certificate safe?
更具体地说,如果我运行以下代码:
import ssl
cert = """-----BEGIN CERTIFICATE-----
MIIF0zCCBTygAwIBAgIKQ8cwCQAAAABhvzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjA2MjcxMzU4MzBaFw0xMzA2MDcxOTQzMjda
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv
b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALDYfDe83LlAxJ3T
+IwJLyXBmT2WcSTY2asm3q8Yl9EaUGmu0enmWkwUyiL7HybwTAZXFccanuEvI3+B
e5SMvv8Nj1/HHH2XvsP6wNnPuN9R9aaFLTdFrUVtPqbIXyaJVkUKEnxeBbOKgliD
I11FQL3Xj3Ktd09atKZJVpPT61QLAgMBAAGjggOmMIIDojAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOJAaGs7fvzmsw8gpn/NASXlHJLR
MB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBO
oEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3Jp
dHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBW
BggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5l
dEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0TAQH/
BAIwADCCAmwGA1UdEQSCAmMwggJfggwqLmdvb2dsZS5jb22CCmdvb2dsZS5jb22C
DSoueW91dHViZS5jb22CC3lvdXR1YmUuY29tghYqLnlvdXR1YmUtbm9jb29raWUu
Y29tggh5b3V0dS5iZYILKi55dGltZy5jb22CDyouZ29vZ2xlLmNvbS5icoIOKi5n
b29nbGUuY28uaW6CCyouZ29vZ2xlLmVzgg4qLmdvb2dsZS5jby51a4ILKi5nb29n
bGUuY2GCCyouZ29vZ2xlLmZyggsqLmdvb2dsZS5wdIILKi5nb29nbGUuaXSCCyou
Z29vZ2xlLmRlggsqLmdvb2dsZS5jbIILKi5nb29nbGUucGyCCyouZ29vZ2xlLm5s
gg8qLmdvb2dsZS5jb20uYXWCDiouZ29vZ2xlLmNvLmpwggsqLmdvb2dsZS5odYIP
Ki5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5j
b4IPKi5nb29nbGUuY29tLnZugg8qLmdvb2dsZS5jb20udHKCDSouYW5kcm9pZC5j
b22CC2FuZHJvaWQuY29tghQqLmdvb2dsZWNvbW1lcmNlLmNvbYISZ29vZ2xlY29t
bWVyY2UuY29tghAqLnVybC5nb29nbGUuY29tggwqLnVyY2hpbi5jb22CCnVyY2hp
bi5jb22CFiouZ29vZ2xlLWFuYWx5dGljcy5jb22CFGdvb2dsZS1hbmFseXRpY3Mu
Y29tghIqLmNsb3VkLmdvb2dsZS5jb22CBmdvby5nbIIEZy5jb4INKi5nc3RhdGlj
LmNvbTANBgkqhkiG9w0BAQUFAAOBgQB9KkvLwBX4q9xjOt6T3xDYiiI3TrFI73us
xE/ZbvW4v8Bd+rcWMrmt25th1KHZd9Lobxt+nAK8+5J32ViEWl00p6E2tgNNUvpI
HfNRecBebuU9B2wmCDYWavqkifCiH8EkCu3roXZjoSvKIvq1NW10YF0CaDSEtd/Z
RdMdo5TaEA==
-----END CERTIFICATE-----
"""
if cert == ssl.get_server_certificate(('google.com',443)):
print "Valid"
else:
print "Invalid"
cert是通过ssl.get_server_certificate(('google.com',443))运行ssl.get_server_certificate(('google.com',443))获得的文本。
我想知道是否可以安全地假定此代码将验证我是否使用与以前相同的证书连接到服务器。
还是有可能欺骗该证书?
请注意,我不在乎证书上的通用名称。
考虑到我从文档中读取的内容,我可以看到这可能并不完全安全。 您需要使用ca_certs作为参数来指定根证书列表。 然后, ssl模块将为您完成验证过程。
您的方法存在的一些问题可能是:
notBefore和notAfter字段。 我们应该始终检查以确保当前日期在这两个值之间。 您的代码不执行不建议的验证。 因此,我认为最好让ssl模块处理验证过程,而不是让我们干预它。
Python ssl.get_server_certificate 下载错误的证书?
[英]Python ssl.get_server_certificate downloads wrong certificate?
SSL 错误 ssl.get_server_certificate 在某些网站上但在其他网站上没有
[英]SSL Errors for ssl.get_server_certificate on some websites but not on others
具有SNI的站点的ssl.get_server_certificate(服务器名称指示)
[英]ssl.get_server_certificate for sites with SNI (Server Name Indication)
Python Twisted:SSL例程,ssl3_get_server_certificate错误
[英]Python Twisted : SSL routines , ssl3_get_server_certificate errors
在python中抑制'SSL例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败'错误
[英]Suppress 'SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' errors in python
在 pythons 的请求库中禁用 SSL 证书验证是否安全?
[英]Is it safe to disable SSL certificate verification in pythons's requests lib?
请求(仅)* .google.com时,SSL上的SSL3_GET_SERVER_CERTIFICATE证书验证失败
[英]SSL3_GET_SERVER_CERTIFICATE certificate verify failed on Python when requesting (only) *.google.com
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.