无法从Tornado Client连接到基于Tornado SSL的服务器

问题描述 投票:1回答:1

我是ssl和stuff的新手,我使用openssl生成了自签名证书。

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem

服务器具有以下代码。

if __name__ == "__main__":
    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    context.load_cert_chain("/home/rootkit/ssl/certificate.pem",
                            "/home/rootkit/ssl/key.pem")

    http_server = tornado.httpserver.HTTPServer(Application(), ssl_options=context)
    #
    # http_server = tornado.httpserver.HTTPServer(Application(), ssl_options={
    #     'certfile': '/home/rootkit/ssl/certificate.pem',
    #     'keyfile': '/home/rootkit/ssl/key.pem',
    # })
    http_server.listen(8888)
    tornado.ioloop.IOLoop.current().start()

当我从chrome访问url时,它只是提供异常,因为它没有被任何权限签名所以我继续它是不安全的。

但是,如果我通过wireshark看到流量,它会显示加密的流量。

但是当我尝试连接Tornado Client时,它会抛出以下错误。

    WARNING:tornado.general:SSL Error on 6 ('127.0.0.1', 8888): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
    ERROR:tornado.application:Exception in callback functools.partial(<function wrap.<locals>.null_wrapper at 0xb72e514c>, <Task finished coro=<check_status() done, defined at /home/rootkit/PycharmProjects/websocketserver/file_upload/websocketclient.py:82> exception=SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)')>)
    Traceback (most recent call last):
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 758, in _run_callback
        ret = callback()
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/stack_context.py", line 300, in null_wrapper
        return fn(*args, **kwargs)
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 779, in _discard_future_result
        future.result()
      File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
        raise self._exception
      File "/usr/lib/python3.5/asyncio/tasks.py", line 241, in _step
        result = coro.throw(exc)
      File "/home/rootkit/PycharmProjects/websocketserver/file_upload/websocketclient.py", line 89, in check_status
        param = await client.fetch(request)
      File "/usr/lib/python3.5/asyncio/futures.py", line 361, in __iter__
        yield self  # This tells Task to wait for completion.
      File "/usr/lib/python3.5/asyncio/tasks.py", line 296, in _wakeup
        future.result()
      File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
        raise self._exception
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/simple_httpclient.py", line 272, in run
        max_buffer_size=self.max_buffer_size)
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1133, in run
        value = future.result()
      File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
        raise self._exception
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1141, in run
        yielded = self.gen.throw(*exc_info)
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/tcpclient.py", line 242, in connect
        server_hostname=host)
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1133, in run
        value = future.result()
      File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
        raise self._exception
      File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/iostream.py", line 1501, in _do_ssl_handshake
        self.socket.do_handshake()
      File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
        self._sslobj.do_handshake()
      File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
        self._sslobj.do_handshake()
    ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

这是客户端代码。

async def check_status():
    url = "https://127.0.0.1:8888/"
    request = httpclient.HTTPRequest(url=url,
                                        method="GET",
                                        client_key="/home/rootkit/client.key",
                                        client_cert="/home/rootkit/ssl/client.pem")
    client = httpclient.AsyncHTTPClient()
    param = await client.fetch(request)
    print(param)

我使用我用于服务器的came命令生成了客户端证书。

可能是什么问题。我错过了什么?

python-3.x ssl certificate tornado
1个回答
0
投票

我从github回购中得到了答案,

“客户端”证书是完全不同的东西:服务器验证客户端的一种方式,即所谓的“相互身份验证”。在这种情况下,它不执行任何操作,因为服务器未设置为检查客户端的证书。它不会导致客户端跳过服务器证书的验证。要像执行chrome一样执行此操作,请使用validate_cert = False。

(标准免责声明,当您将此代码转换为某些真实产品或服务时,您需要确保不会意外地将validate_cert = False留下)

所以我只需要删除证书的客户端验证。

对于“实际生产使用”,您可能希望为您的真实DNS域生成真正的可信服务器证书,例如使用“Let's Encrypt”。

validate_cert=False将加密流量但不验证证书?

所以我改变了我的客户

async def check_status():
url = "https://127.0.0.1:8888/"
request = httpclient.HTTPRequest(url=url,
                                    method="GET",
                                    validate_cert=False)
client = httpclient.AsyncHTTPClient()
param = await client.fetch(request)
print(param.body)
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.