我正在尝试连接到使用 HTTPS 客户端证书身份验证的 Web 服务器。当我使用 curl 时它工作正常:
leo@leo-VirtualBox:~/development/pki-client$ curl --key admin.privkey.pem --cert admin.crt -k --url "https://ca.cloud.leotr.org/"
<!DOCTYPE html>
<html>
<head>
<title>Welcome to CA</title>
<link href="/static/bootstrap/css/bootstrap.min.css" rel="stylesheet"/>
</head>
<body>
<div class="container">
<h1>REMS CA server</h1>
<p class="lead">Hello and welcome to REMS CA. Currently this page is
almost empty. But you can download CA root certificate and install it
into your browser ;)</p>
<a class="btn btn-large btn-primary" href="/remspki/cacert/">Download CA certificate</a>
<a class="btn btn-large" href="/admin/">Go to Admin site <i class="icon-arrow-right"></i> </a>
</div>
</body>
</html>
客户端私钥文件内容
leo@leo-VirtualBox:~/development/pki-client$ cat admin.privkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdN
ggw/D70jEfc7dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrg
EtRLyFFv3OB1sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qo
Ll7aBIpbugFew6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2
XUUMOqi+/jFmiXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi
/JR8dsm985c5KPLIxWVGK0VKC67catEY5j/70wIDAQABAoIBAAF+RwOhFmQIcBU7
kywMZ7XetGB6OTzSpBzzu5sjzLq4qqWtxfU00mL3gUzJPuQGE3Ldq986nhbR/mn3
6BkFpatsa8ypn0W9hYC8AK3KPPsmvGs+yCt/Lisxdv9PmcZc49LhWOtMBTMiYtFH
iTJdV5ToGT6kNirdLscxtCHsVe21EH2TMO4k06bK18UJFewswsyMN66FKX0wSF9w
yZ/9A9VJOaUOXo6Mos/tvyf9rjhOqb02DOqOuWVVFRWWax75+M2qKnacSuKfMPfc
21B3ulQRIcR7PjIVIMTZkLO+MjD7DBiywIcD50H1005cL05a8latjXdENY5Xeh9Z
duS4I5ECgYEA3BzbGf45gDzZWTeTjnfQ/9m3MuGmAzAG2zjStFQnquiMyH0IZzSB
/awKJxXcdO7cUXfjOWxIgA7nNj+ewOUXj5uQH9F+8cl+raxyEsixdPwfSzCyLcwD
Zp2SsoXKPRx12SrAbl5wQqePN6+pntLRmW8xfUKFZAhs5CtxQ6bymBkCgYEA1L+V
zas85TUITqZi0//lmdqWdfRhkHdIBkLsHxRE4RnEsfGqvy3XQZTQ0zLGjz4WtUSq
xjh0rK6jMGEGGypRM8G0kpfBpGFYu9Hy8hpFKDwnihfk/XnuaXBLiN82V8vVWGrl
tc5DrTHCxVbVW99W7IaVVLgY/D0kFI/195yYYMsCgYBGTIUBmTs+JLD6GJDs6IF8
pUkoW/8Md5NJAq3w4AvHPvxvr9c2NwPpQ7/+WbIOOpdtAZA1r8q784aOweTvEHvk
5rcyIlOb31GxIClSrHxYs4k/F29gxw6zAFJw59/+go90632IAmtyLlfEXjsbOZOt
oGC687rshvBYMzO6eqBySQKBgQCDG95x9Ql+J4SLE7br91PD0RXQc1587UWRtkRV
kuQv5PV2w/v5/YIehFt9DFmZhSXxZ/PmXHxqvuUKt4BP1XBdeQ6TGLrZVrScavJR
iSb9eLTVQYx5OV9X00B5hTW0PYWpC5esxwSmA3iIrM6n46dp9DarExkyuWs20NFA
W1z8qQKBgGD2XiB/N9QRVNW0CpuVgWx3HBllJpXT2QMeCx57AEeCmOnSkByyvYmR
Aszu2CQn2ynHO+3B46uJ+Sg2pmcEjvUrhERhRT23lpZY8VDGpfVjfQcqfVhwzrHQ
Y2kf6WV+C32klQ6bKOwwO9TavvKCloiENJfbRdLvGvswBVgnWlGW
-----END RSA PRIVATE KEY-----
客户证书
leo@leo-VirtualBox:~/development/pki-client$ cat admin.crt
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMRIwEAYKCZImiZPyLGQB
GRYCS1oxGDAWBgoJkiaJk/IsZAEZFghSQUlMV0FZUzEUMBIGCgmSJomT8ixkARkW
BFJFTVMxCzAJBgNVBAMTAkNBMB4XDTEyMTIyODIyNTI1MFoXDTE3MTIyNzIyNTI1
MFowbjESMBAGCgmSJomT8ixkARkWAktaMRgwFgYKCZImiZPyLGQBGRYIUkFJTFdB
WVMxFDASBgoJkiaJk/IsZAEZFgRSRU1TMSgwEgYDVQQDEwtMZW8gVHJ1YmFjaDAS
BgoJkiaJk/IsZAEBEwRBMDAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdNggw/D70jEfc7
dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrgEtRLyFFv3OB1
sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qoLl7aBIpbugFe
w6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2XUUMOqi+/jFm
iXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi/JR8dsm985c5
KPLIxWVGK0VKC67catEY5j/70wIDAQABoz8wPTAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIC/DAdBgNVHQ4EFgQUbmKGUje1HCUQVd//jZjJmgYJ2mswDQYJKoZI
hvcNAQEFBQADggEBALJEtadF5zPh6pJzj0c2vLISnZ4jBi6aaCOvz1Ph2gFrI9te
mvXVnlFLe7JJxStDlLurQ+hLqY9Q8vIczAEp2r9uJyfBpeHsc0YP6UbOXg6WLHLl
fU0tKb9PqfcMwfKUH8Nb6Q6Kt5EuQzIraYweXHNyOiKSB3ZogjPVdZnoe5gXYUpG
5cE8k2SjGVEWxc94ygcbiN+ziaUz/jos+TwqgsBp+yel0frO3DKGqQjfuOLgeTpf
xaNlPXdzFfEn0VWva36skrRzHNwZESI/Dd626eyUfxuTLLq5+Gb1D8WZj5RRqu1n
I9cZs9gCmZswWQy2/cExRPhgSWbwUWOhOCQsFVo=
-----END CERTIFICATE-----
Python代码:
leo@leo-VirtualBox:~/development/pki-client$ cat httpstest.py
from httplib import HTTPSConnection
from config import ADMIN_CERT, ADMIN_KEY
h = HTTPSConnection(
'ca.cloud.leotr.org', 443, key_file=ADMIN_KEY, cert_file=ADMIN_CERT)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
print(resp.read())
输出:
leo@leo-VirtualBox:~/development/pki-client$ python httpstest.py
400
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>
让我们尝试更多级别的 Python 代码
leo@leo-VirtualBox:~/development/pki-client$ cat ssltest.py
from config import ADMIN_CERT, ADMIN_KEY
import socket
import ssl
sock = socket.create_connection(('ca.cloud.leotr.org', 443), None)
print('Admin key: ', ADMIN_KEY)
print('Admin cert', ADMIN_CERT)
sslsock = ssl.wrap_socket(
sock, keyfile=ADMIN_KEY, certfile=ADMIN_CERT)
request = ('GET / HTTP/1.1',
'Host: ca.cloud.leotr.org',
'Accept: text/html',
'Accept-Encoding: gzip,deflate,sdch')
request_body = '\n'.join(request) + '\n'*2
sslsock.write(request_body)
response = sslsock.read()
print response
Python 结果
leo@leo-VirtualBox:~/development/pki-client$ python ssltest.py
('Admin key: ', 'admin.privkey.pem')
('Admin cert', 'admin.crt')
HTTP/1.1 400 Bad Request
Server: nginx/1.1.19
Date: Fri, 04 Jan 2013 04:59:52 GMT
Content-Type: text/html
Content-Length: 231
Connection: close
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>
所以我不明白出了什么问题。