我正在尝试通过 TLS 执行我的 Flask 应用程序,这是我的示例:
from flask import Flask
import ssl
app = Flask(__name__)
@app.route('/ping')
def ping():
return 'pong'
if __name__ == '__main__':
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations('./ca-crt.pem')
context.load_cert_chain('./server.crt', './server.key')
app.run('0.0.0.0', 8080, ssl_context=context)
这就是我生成证书的方式:
# create server private key and server CSR
openssl req -nodes -new -keyout server.key -out server.csr
# generate certicate based on server's CSR using CA root certificate and CA private key
openssl x509 -req -days 365 -in server.csr -CA ca-crt.pem -CAkey ca.key -CAcreateserial -out server.crt
# verify the certificate (optionally)
openssl verify -CAfile ca-crt.pem server.crt
而对于客户端证书:
# create client private key and client CSR
openssl req -nodes -new -keyout client.key -out client.csr
# generate certicate based on client's CSR using CA root certificate and CA private key
openssl x509 -req -days 365 -in client.csr -CA ca-crt.pem -CAkey ca.key -CAcreateserial -out client.crt
# verify the certificate (optionally)
openssl verify -CAfile ca-crt.pem client.crt
但是当我尝试执行我的 curl 请求时:
curl --insecure --cacert ca-crt.pem --key client.key --cert client.crt https://localhost:8080/ping -v
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* found 1 certificates in ca-crt.pem
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: CA is unknown
* Closing connection 0
curl: (35) gnutls_handshake() failed: CA is unknown
问题是什么?
如果我删除部分以识别客户端,它可以工作:
if __name__ == '__main__':
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.load_cert_chain('server.crt', 'server.key')
app.run('0.0.0.0', 8080, ssl_context=context)
curl --insecure https://localhost:8080/ping
pong
此外,对于带有密码的证书,如何在加载证书时指定 PEM 密码?