-3

我正在尝试连接到使用 HTTPS 客户端证书身份验证的 Web 服务器。当我使用 curl 时它工作正常:

leo@leo-VirtualBox:~/development/pki-client$ curl --key admin.privkey.pem --cert admin.crt -k --url "https://ca.cloud.leotr.org/"
<!DOCTYPE html>
<html>
<head>
    <title>Welcome to CA</title>
    <link href="/static/bootstrap/css/bootstrap.min.css"  rel="stylesheet"/>
</head>
<body>

<div class="container">
    <h1>REMS CA server</h1>
    <p class="lead">Hello and welcome to REMS CA. Currently this page is
        almost empty. But you can download CA root certificate and install it
    into your browser ;)</p>
    <a class="btn btn-large btn-primary" href="/remspki/cacert/">Download CA certificate</a>
    <a class="btn btn-large" href="/admin/">Go to Admin site <i class="icon-arrow-right"></i>    </a>
</div>

</body>
</html>

客户端私钥文件内容

leo@leo-VirtualBox:~/development/pki-client$ cat admin.privkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdN
ggw/D70jEfc7dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrg
EtRLyFFv3OB1sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qo
Ll7aBIpbugFew6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2
XUUMOqi+/jFmiXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi
/JR8dsm985c5KPLIxWVGK0VKC67catEY5j/70wIDAQABAoIBAAF+RwOhFmQIcBU7
kywMZ7XetGB6OTzSpBzzu5sjzLq4qqWtxfU00mL3gUzJPuQGE3Ldq986nhbR/mn3
6BkFpatsa8ypn0W9hYC8AK3KPPsmvGs+yCt/Lisxdv9PmcZc49LhWOtMBTMiYtFH
iTJdV5ToGT6kNirdLscxtCHsVe21EH2TMO4k06bK18UJFewswsyMN66FKX0wSF9w
yZ/9A9VJOaUOXo6Mos/tvyf9rjhOqb02DOqOuWVVFRWWax75+M2qKnacSuKfMPfc
21B3ulQRIcR7PjIVIMTZkLO+MjD7DBiywIcD50H1005cL05a8latjXdENY5Xeh9Z
duS4I5ECgYEA3BzbGf45gDzZWTeTjnfQ/9m3MuGmAzAG2zjStFQnquiMyH0IZzSB
/awKJxXcdO7cUXfjOWxIgA7nNj+ewOUXj5uQH9F+8cl+raxyEsixdPwfSzCyLcwD
Zp2SsoXKPRx12SrAbl5wQqePN6+pntLRmW8xfUKFZAhs5CtxQ6bymBkCgYEA1L+V
zas85TUITqZi0//lmdqWdfRhkHdIBkLsHxRE4RnEsfGqvy3XQZTQ0zLGjz4WtUSq
xjh0rK6jMGEGGypRM8G0kpfBpGFYu9Hy8hpFKDwnihfk/XnuaXBLiN82V8vVWGrl
tc5DrTHCxVbVW99W7IaVVLgY/D0kFI/195yYYMsCgYBGTIUBmTs+JLD6GJDs6IF8
pUkoW/8Md5NJAq3w4AvHPvxvr9c2NwPpQ7/+WbIOOpdtAZA1r8q784aOweTvEHvk
5rcyIlOb31GxIClSrHxYs4k/F29gxw6zAFJw59/+go90632IAmtyLlfEXjsbOZOt
oGC687rshvBYMzO6eqBySQKBgQCDG95x9Ql+J4SLE7br91PD0RXQc1587UWRtkRV
kuQv5PV2w/v5/YIehFt9DFmZhSXxZ/PmXHxqvuUKt4BP1XBdeQ6TGLrZVrScavJR
iSb9eLTVQYx5OV9X00B5hTW0PYWpC5esxwSmA3iIrM6n46dp9DarExkyuWs20NFA
W1z8qQKBgGD2XiB/N9QRVNW0CpuVgWx3HBllJpXT2QMeCx57AEeCmOnSkByyvYmR
Aszu2CQn2ynHO+3B46uJ+Sg2pmcEjvUrhERhRT23lpZY8VDGpfVjfQcqfVhwzrHQ
Y2kf6WV+C32klQ6bKOwwO9TavvKCloiENJfbRdLvGvswBVgnWlGW
-----END RSA PRIVATE KEY-----

客户证书

leo@leo-VirtualBox:~/development/pki-client$ cat admin.crt
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMRIwEAYKCZImiZPyLGQB
GRYCS1oxGDAWBgoJkiaJk/IsZAEZFghSQUlMV0FZUzEUMBIGCgmSJomT8ixkARkW
BFJFTVMxCzAJBgNVBAMTAkNBMB4XDTEyMTIyODIyNTI1MFoXDTE3MTIyNzIyNTI1
MFowbjESMBAGCgmSJomT8ixkARkWAktaMRgwFgYKCZImiZPyLGQBGRYIUkFJTFdB
WVMxFDASBgoJkiaJk/IsZAEZFgRSRU1TMSgwEgYDVQQDEwtMZW8gVHJ1YmFjaDAS
BgoJkiaJk/IsZAEBEwRBMDAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdNggw/D70jEfc7
dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrgEtRLyFFv3OB1
sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qoLl7aBIpbugFe
w6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2XUUMOqi+/jFm
iXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi/JR8dsm985c5
KPLIxWVGK0VKC67catEY5j/70wIDAQABoz8wPTAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIC/DAdBgNVHQ4EFgQUbmKGUje1HCUQVd//jZjJmgYJ2mswDQYJKoZI
hvcNAQEFBQADggEBALJEtadF5zPh6pJzj0c2vLISnZ4jBi6aaCOvz1Ph2gFrI9te
mvXVnlFLe7JJxStDlLurQ+hLqY9Q8vIczAEp2r9uJyfBpeHsc0YP6UbOXg6WLHLl
fU0tKb9PqfcMwfKUH8Nb6Q6Kt5EuQzIraYweXHNyOiKSB3ZogjPVdZnoe5gXYUpG
5cE8k2SjGVEWxc94ygcbiN+ziaUz/jos+TwqgsBp+yel0frO3DKGqQjfuOLgeTpf
xaNlPXdzFfEn0VWva36skrRzHNwZESI/Dd626eyUfxuTLLq5+Gb1D8WZj5RRqu1n
I9cZs9gCmZswWQy2/cExRPhgSWbwUWOhOCQsFVo=
-----END CERTIFICATE-----

Python代码:

leo@leo-VirtualBox:~/development/pki-client$ cat httpstest.py 
from httplib import HTTPSConnection
from config import ADMIN_CERT, ADMIN_KEY

h = HTTPSConnection(
    'ca.cloud.leotr.org', 443, key_file=ADMIN_KEY, cert_file=ADMIN_CERT)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
print(resp.read())

输出:

leo@leo-VirtualBox:~/development/pki-client$ python httpstest.py 
400
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>

让我们尝试更多级别的 Python 代码

leo@leo-VirtualBox:~/development/pki-client$ cat ssltest.py 
from config import ADMIN_CERT, ADMIN_KEY
import socket
import ssl

sock = socket.create_connection(('ca.cloud.leotr.org', 443), None)
print('Admin key: ', ADMIN_KEY)
print('Admin cert', ADMIN_CERT)
sslsock = ssl.wrap_socket(
    sock, keyfile=ADMIN_KEY, certfile=ADMIN_CERT)
request = ('GET / HTTP/1.1',
           'Host: ca.cloud.leotr.org',
           'Accept: text/html',
           'Accept-Encoding: gzip,deflate,sdch')
request_body = '\n'.join(request) + '\n'*2
sslsock.write(request_body)
response = sslsock.read()
print response

Python 结果

leo@leo-VirtualBox:~/development/pki-client$ python ssltest.py
('Admin key: ', 'admin.privkey.pem')
('Admin cert', 'admin.crt')
HTTP/1.1 400 Bad Request
Server: nginx/1.1.19
Date: Fri, 04 Jan 2013 04:59:52 GMT
Content-Type: text/html
Content-Length: 231
Connection: close

<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>

所以我不明白出了什么问题。

4

1 回答 1

0

这里的问题是您正在尝试连接到不在默认 CA 列表中的 CA。由于 CA 站点的证书由 CA 签名,因此在您首先下载并安装证书之前,无法通过 SSL 访问该站点。

HTML 结果显示有“下载 CA 根证书并将其安装到浏览器中”的说明。如果您不这样做,您会从浏览器中收到一条错误消息,如下所示:

Safari 无法验证网站“ca.cloud.leotr.org”的身份。

本网站的证书无效。您可能正在连接到一个伪装成“ca.cloud.leotr.org”的网站,这可能会使您的机密信息面临风险。是否仍要连接到该网站?

同样,如果您尝试使用curl,您会得到相同的错误:

curl: (60) SSL证书问题,验证CA证书是否OK。详细信息:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败更多详细信息:http ://curl.haxx.se/docs/sslcerts.html

curl 默认使用证书颁发机构 (CA) 公钥(CA 证书)的“捆绑”执行 SSL 证书验证。如果默认捆绑文件不够用,您可以使用 --cacert 选项指定备用文件。如果此 HTTPS 服务器使用捆绑包中表示的 CA 签名的证书,则证书验证可能由于证书问题而失败(证书可能已过期,或者名称可能与 URL 中的域名不匹配)。如果您想关闭 curl 对证书的验证,请使用 -k(或 --insecure)选项。

这样做的唯一原因是curl您已经指定了-k标志,也就是--insecure. 从手册页:

-k,--不安全

(SSL) 此选项明确允许 curl 执行“不安全”的 SSL 连接和传输。尝试使用默认安装的 CA 证书包来确保所有 SSL 连接的安全。这使得所有被认为是“不安全”的连接都失败,除非使用 -k, --insecure。

有关详细信息,请参阅此在线资源:http:
//curl.haxx.se/docs/sslcerts.html

再一次,在你的 Python 代码中,你得到了同样的错误。

在所有三种情况下,解决方案都是相同的:下载 CA 的证书并将其放入您的证书存储区(或明确使用它来代替您的默认证书存储区)。

于 2013-01-04T06:24:53.593 回答