1

我有一个奇怪的问题。看起来 OpenSSL 的“s_client”工具不喜欢我的 AppEngine 应用程序的 SSL 证书,甚至不承认它(“没有可用的对等证书”),但是 Python 的 SSL 模块报告了颁发者、日期范围、序列号、主题等等,好像完全没有问题一样。

我假设我的 SSL 证书存在一些细微的错误配置,但是,由于 AppEngine 提供了一个非常简单的上传证书向导,说配置错误就是说谷歌的功能被破坏了......我怀疑这是案子。

如果其他人经历过,我很想对此有所了解。

s_client:

openssl s_client -connect www.abc.com:443

s_client 输出:

CONNECTED(00000003)
3073997000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Python 3.3 测试脚本:

import socket

from ssl import wrap_socket, CERT_NONE, PROTOCOL_SSLv23
from ssl import SSLContext  # Modern SSL?
from ssl import HAS_SNI  # Has SNI?

from pprint import pprint

# Stole this from "requests" package.
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
                    ca_certs=None, server_hostname=None,
                    ssl_version=None):

    context = SSLContext(ssl_version)
    context.verify_mode = cert_reqs

    if ca_certs:
        try:
            context.load_verify_locations(ca_certs)
        # Py32 raises IOError
        # Py33 raises FileNotFoundError
        except Exception as e:  # Reraise as SSLError
            raise SSLError(e)

    if certfile:
        # FIXME: This block needs a test.
        context.load_cert_chain(certfile, keyfile)

    if HAS_SNI:  # Platform-specific: OpenSSL with enabled SNI
        return context.wrap_socket(sock, server_hostname=server_hostname)

    return context.wrap_socket(sock)

hostname = 'www.abc.com'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, 443))

sslSocket = ssl_wrap_socket(s,
                            ssl_version=2, 
                            cert_reqs=2, 
                            ca_certs='/usr/local/lib/python3.3/dist-packages/requests/cacert.pem', 
                            server_hostname=hostname)

pprint(sslSocket.getpeercert())
s.close()

测试脚本输出:

{'issuer': ((('countryName', 'US'),),
            (('organizationName', 'GeoTrust, Inc.'),),
            (('commonName', 'RapidSSL CA'),)),
 'notAfter': 'Oct  2 20:01:20 2014 GMT',
 'notBefore': 'Sep 29 02:17:38 2013 GMT',
 'serialNumber': '0E45AF',
 'subject': ((('serialNumber', 'd3tVuFeMunyn/gFFucMFHgZ2iBihdthR'),),
             (('organizationalUnitName', 'GT22884059'),),
             (('organizationalUnitName',
               'See www.rapidssl.com/resources/cps (c)13'),),
             (('organizationalUnitName',
               'Domain Control Validated - RapidSSL(R)'),),
             (('commonName', 'www.abc.com'),)),
 'subjectAltName': (('DNS', 'www.abc.com'),
                    ('DNS', 'abc.com')),
 'version': 3}
4

1 回答 1

1

问题是我没有在“s_client”调用中包含“servername”参数。

于 2013-10-02T23:48:40.740 回答