server端
# coding:utf-8
from __future__ import absolute_import, division, print_function, with_statement
import socket, ssl
import os
import tornado.tcpserver
from tornado.ioloop import IOLoop
import tornado.gen
ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_ctx.load_cert_chain("/keys/server.crt",
"/keys/server.key")
ssl_ctx.load_verify_locations("keys/ca.crt")
ssl_ctx.verify_mode = ssl.CERT_REQUIRED
class A(tornado.tcpserver.TCPServer):
def handle_stream(self, stream, address):
self.run(stream)
@tornado.gen.coroutine
def run(self, stream):
body = yield stream.read_bytes(111110, partial=True)
print(body)
def main():
server = A(ssl_options=ssl_ctx)
server.listen(6030, '')
io_loop = IOLoop.current()
io_loop.add_callback(main)
io_loop.start()
client端
# coding:utf-8
import socket, ssl, pprint
import os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_ctx.load_cert_chain("keys/server.crt","keys/server.key")
ssl_sock = ssl_ctx.wrap_socket(s)
ssl_sock.connect(('localhost', 6030))
print repr(ssl_sock.getpeername())
print ssl_sock.cipher()
print pprint.pformat(ssl_sock.getpeercert())
ssl_sock.write("boo!")
运行后
服务器端报错
[SSL: NO_CERTIFICATE_RETURNED] no certificate returned (_ssl.c:590)
客户端也报错
[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590)
我想做的是ssl双向认证
客户端用的证书跟服务端应该不一样。只不过客户端的证书签发的CA,服务端能够认可
知道不一样,做测试的时候是一样的
服务端这个地方错了:
ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
要修改为
ssl_ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
并增加
ssl_ctx.check_hostname = False
客户端少了验证服务器的CA证书,需增加一行
ssl_ctx.load_verify_locations("keys/ca.crt")
如果你的server.crt证书中域名和主机名不匹配,客户端需要再加两个语句
ssl_ctx.check_hostname=False
ssl_ctx.verify_mode = CERT_NONE
另外,你的证书用途(X.509证书扩展中的ext_usage)必须同时具备serverAuth和clientAuth用途
我在做双向认证的时候,报错PEM lib(3837)
请问是什么原因呢?