问题描述
我正在使用ssl.py连接到Web服务器,我想验证服务器证书.
I am using ssl.py to connect to a webserver and I would like to verify the server certificate.
我有一个ROOT_CA,它签署了一个INTERMEDIATE_CA,最后签署了SERVER_CERTIFICATE.
I have a ROOT_CA which signs an INTERMEDIATE_CA and this finally signs the SERVER_CERTIFICATE.
我只想向客户端提供INTERMEDIATE_CA,以便它可以验证其签名的所有证书.但是,看来我需要提供整个证书链ROOT_CA-> INTERMEDIATE_CA才能使验证正常进行.
I would like to provide the client only the INTERMEDIATE_CA so it can verify all certificates signed by it. However, it appears that I need to provide the entire certificate chain ROOT_CA->INTERMEDIATE_CA in order for the verification to work.
对此有何见解?
这是我正在使用的脚本:
Here is the script I am using:
import asyncio
import pathlib
import ssl
import websockets
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_REQUIRED
server_cert = pathlib.Path(__file__).with_name("intermediate_ca_server.ca-chain.cert.pem")
ssl_context.load_verify_locations(server_cert)
async def hello():
uri = "wss://<url>"
async with websockets.connect(
uri, ssl=ssl_context
) as websocket:
await websocket.send('test data')
greeting = await websocket.recv()
print(f"< {greeting}")
推荐答案
默认情况下,OpenSSL需要完整的证书链,包括根证书.使用OpenSSL 1.0.2,添加了新的验证标志 X509_V_FLAG_PARTIAL_CHAIN ,即使该证书不是根证书(即,主题和颁发者不同),也可以使信任链以受信任证书结尾.
By default OpenSSL needs the full certificate chain including the root certificate. With OpenSSL 1.0.2 a new verification flag X509_V_FLAG_PARTIAL_CHAIN was added which makes it possible to let the trust chain end in a trusted certificate even if this certificate is not a root certificate (i.e. subject and issuer differ).
似乎Python尚未为此定义一个常量,因此需要使用整数表示形式:
It looks like Python does not have yet a constant defined for this so one needs to use the integer representation:
ctx = ssl.create_default_context()
ctx.load_verify_locations(cafile='subca.pem') # contains only sub-CA
ctx.verify_flags |= 0x80000 # set X509_V_FLAG_PARTIAL_CHAIN
ctx.ssl_wrap(...)
这篇关于Python WWS库需要整个证书链来验证服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!