因此,我目前正在尝试使用 python SSL 模块创建用于客户端身份验证的系统。我的问题如下:下面的行为我提供了客户端身份验证?
服务器端
context.verify_mode = ssl.CERT_REQUIRED;
context.load_verify_locations(cafile="ca_bundle.pem");
context.check_hostname = False;
客户端
context.load_cert_chain(certfile="client_crt.pem", keyfile="client_private_key.pem")
context.load_verify_locations(cafile=CERT_AU);
“.CERT_REQUERIED”在这里解释,load_verify_locations在这里。最后一行是因为我的证书使用 id 作为通用名称,而不是 DNS 名称或 IP 地址。
我想要做的是强迫客户向我发送带有签名的证书并将签名与他提供的公钥进行比较,即表明他确实拥有分配给该证书的私钥。
这些线路向我提供了这个?如果没有,如何在python中实现客户端认证?
==编辑== 对于仍然感兴趣的任何人,这里还有一点代码片段(注意:我的实际代码太大,所以我只是发布相关部分)
服务器端
# thread iniciado no processo principal
def recebe_conexao_ssl(Client, fim, lock):
sock = socket.socket();
sock.bind(('', port_ssl));
sock.listen(5);
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH);
context.load_cert_chain(certfile=my_cert, keyfile=private_key);
'''
The next 3 lines force the client to send it's own certificate. But, I don't know if it authenticate (i.e. test to see if the client has the private key corresponding to the sent certificate)
More details: https://docs.python.org/3.8/library/ssl.html#ssl.CERT_REQUIRED
'''
context.verify_mode = ssl.CERT_REQUIRED;#
context.load_verify_locations(cafile=ca_bundle);
context.check_hostname = False;
'''
I don't use check_hostname because my IP's are dynamic
'''
context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
context.set_ciphers('EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH')
file = open("client_1.txt", "a");
file.write("conexao_ssl iniciou\n-----------\n");
file.close();
while True:
ssock, addr = sock.accept();
start_new_thread(recebimento_individual, (ssock, context, lock));
print("conexão aceita!")
print("Servidor desligando!");
客户端
def enviar_msg(Client):
sock = socket.socket(socket.AF_INET);
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH);
context.set_ciphers('EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH')
context.check_hostname = False;
context.load_cert_chain(certfile=my_cert, keyfile=private_key)
context.load_verify_locations(cafile=ca_bundle);
conn = context.wrap_socket(sock);