相互TLS身份验证SSLV3 \u警报\u不支持的\u证书

2024-10-01 15:45:07 发布

您现在位置:Python中文网/ 问答频道 /正文
1939 3

我目前正在尝试在客户机和服务器之间实现相互TLS身份验证。我遇到了一个SSL错误,它不是很具有描述性。StackOverflow也没有太多的相关问题,因为大多数情况下,StackOverflow是一个单向TLS。但是,据我所见,发生此错误的原因是客户证书有问题,因此下面我附上了与此相关的信息。如果不是这样,请告诉我。在

生成客户端证书

我客户的cnf(foo.config)看起来像(替换了所有敏感信息):

[ req ]
default_bits = 2048
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = dn
encrypt_key = no

[ dn ]
O=Bar
OU=User
CN=myuser@foo.com

[ req_ext ]
subjectAltName = email:myuser@foo.com
nsCertType = client, email, objsign
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

我使用openssl传入这个配置文件来创建csr:

^{pr2}$

然后我将其发送到内部的基础设施管理API,以签署x509证书。我将客户机证书另存为foo.cert(它包含到CA的信任链)。在

我的客户如何发送证书

当我向我的服务器发送urllib open请求时,我使用HTTPSConnection发送ssl上下文:

... # Inside some handler code
context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH,
            cafile=ROOT_CA)
context.load_cert_chain(certfile=CERT_DEST, keyfile=KEY_DEST)
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True
return http.client.HTTPSConnection(host, context=context)

我的烧瓶服务器如何设置

当我的测试flask服务器接受ssl上下文时:

executor = Flask(__name__)
context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH, cafile=TEST_CA_CERT)
context.load_cert_chain(certfile=TEST_CERT, keyfile=TEST_KEY)
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = False
executor.run(host=host, port=port, ssl_context=context)

它建立自己的证书和密钥文件。它还设置客户端身份验证请求。在

完全错误回溯

在运行时,在调用期间,我得到以下回溯(替换所有敏感信息):

Traceback (most recent call last):
  File "/auto/foo/python3-rhel6/lib/python3.6/urllib/request.py", line 1318, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/auto/foo/python3-rhel6/lib/python3.6/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/auto/foo/python3-rhel6/lib/python3.6/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/auto/foo/python3-rhel6/lib/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/auto/foo/python3-rhel6/lib/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/auto/foo/python3-rhel6/lib/python3.6/http/client.py", line 964, in send
    self.connect()
  File "/auto/foo/python3-rhel6/lib/python3.6/http/client.py", line 1400, in connect
    server_hostname=server_hostname)
  File "/auto/foo/python3-rhel6/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/auto/foo/python3-rhel6/lib/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/auto/foo/python3-rhel6/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/auto/foo/python3-rhel6/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_UNSUPPORTED_CERTIFICATE] sslv3 alert unsupported certificate (_ssl.c:833)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./bar.py", line 375, in <module>
    start(args, overrides, threadlock)
  File "./bar.py", line 332, in start
    approved, alloc_message = Executor.approve(flow.the_portal.inst)
  File "/home/myuser/dev/bar/Executor.py", line 638, in approve
    with opener.open(request, json_request) as response:
  File "/auto/foo/python3-rhel6/lib/python3.6/urllib/request.py", line 526, in open
    response = self._open(req, data)
  File "/auto/foo/python3-rhel6/lib/python3.6/urllib/request.py", line 544, in _open
    '_open', req)
  File "/auto/foo/python3-rhel6/lib/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/home/myuser/dev/bar/Auth.py", line 77, in https_open
    return self.do_open(self.getConnection, req)
  File "/auto/foo/python3-rhel6/lib/python3.6/urllib/request.py", line 1320, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_UNSUPPORTED_CERTIFICATE] sslv3 alert unsupported certificate (_ssl.c:833)>

如果需要更多的信息,请尽管告诉我。任何帮助都将不胜感激。在

编辑: 这是证书(用修订的形式):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=foo, CN=Foo Issuing CA - XXX
        Validity
            Not Before: ... 2018 GMT
            Not After : ... GMT
        Subject: O=Bar, OU=User, CN=myuser@foo.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                ...
        X509v3 extensions:
            X509v3 Key Usage:
                Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name:
                email:myuser@foo.com
            X509v3 Subject Key Identifier:
                ...
            X509v3 Authority Key Identifier:
                ...

            X509v3 CRL Distribution Points:

                Full Name:
                    ...
            Authority Information Access:
                CA Issuers - ...
                CA Issuers - ...

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

使用我的证书包验证此文件时,会显示:

openssl verify -CAfile /.../certification_bundle.pem foo.cert
foo.cert: OK

我使用的是opensslv.1.0.1e-fips。这应该支持TLSv1.2。在


Tags: inpyselfsslautofoorequestlib
2条回答
网友
1楼 · 编辑于 2024-10-01 15:45:07

抱歉,我无法发表评论,但听起来您的证书签名请求缺少扩展密钥使用(EKU)扩展。您可能需要添加:

extendedKeyUsage = clientAuth

给你req_ext部分。在

然后重新生成CSR并使用openssl req -in foo.csr -text验证签名请求是否包含EKU扩展:

^{pr2}$
网友
2楼 · 编辑于 2024-10-01 15:45:07
       X509v3 Key Usage:
            Key Encipherment, Data Encipherment

客户端证书由客户端对某个质询签名,服务器对签名进行验证。要签署此质询,证书的密钥用法必须是数字签名。您的证书没有此项,因此无法用于客户端身份验证。在

另请参见Recommended key usage for a client certificate。在

有趣的是,您的CSR可能包含了适当的密钥用法,至少您尝试过添加它:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

因此,CA可能以错误的方式颁发了证书,即与您请求的不同。在

相关问题 更多 >

    编程相关推荐

    热门问题