如何设置 aiohttp https 服务器和客户端？

Question

我正在尝试了解如何保护数据在通过服务器和工作人员之间的开放网络传输后不被更改

在我的脑海里，我在想它应该遵循这样的东西：

|server|---send_job----->|worker|
|      |<--send_results--|      |
|      |                 |      |
|      |-send_kill_req-->|      |

显然我不希望有人改变我的 send_job 来做一些邪恶的事情，我也不希望有人偷看我的结果。

所以我有一个超级简单的 aiohttp client/server 设置，我正在尝试将 ssl 实施到其中，但我完全迷路了。

下面是我尝试过的最基本的东西，但我也尝试通过以下方式实现我自己的 ssl 证书：

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout domain_srv.key -out domain_srv.crt

随着documentation的关注，但我仍然无法get任何回应。

我该如何正确实施 ssl_context 才能让它发挥作用？！

server.py

from aiohttp import web
import msgpack
import ssl

async def handle(request):
    name = request.match_info.get('name', "Anonymous")
    text = "Hello, " + name
    return web.Response(text=text)

app = web.Application()
app.add_routes([web.get('/', handle),
                web.get('/{name}', handle)])

ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
web.run_app(app, ssl_context=ssl_context)

client.py 导入 aiohttp 导入异步 导入 ssl

async def main():
    sslcontext = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
    async with aiohttp.ClientSession() as session:
        async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
            html = await response.read()
            print(html)

loop = asyncio.get_event_loop()
loop.run_until_complete(main())

1. 运行 python3 server.py合一window
2. 运行 python3 client.py 在另一个 window

然后我通常会得到这样的结果：

Traceback (most recent call last):
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 822, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 804, in create_connection
    sock, protocol_factory, ssl, server_hostname)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 830, in _create_connection_transport
    yield from waiter
ConnectionResetError

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "client.py", line 14, in <module>
    loop.run_until_complete(main())
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 468, in run_until_complete
    return future.result()
  File "client.py", line 9, in main
    async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 843, in __aenter__
    self._resp = await self._coro
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 366, in _request
    timeout=timeout
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 445, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 757, in _create_connection
    req, traces, timeout)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 879, in _create_direct_connection
    raise last_exc
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 862, in _create_direct_connection
    req=req, client_error=client_error)
  File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 829, in _wrap_create_connection
    raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 0.0.0.0:8443 ssl:<ssl.SSLContext object at 0x7fe4800d2278> [None]

---

解决方案：

这是一个两部分问题，

1. 我不知道我在用 openssl 做什么，requests 库帮助我解决了这个问题！

   import requests
   requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
   
   SSLError: HTTPSConnectionPool(host='0.0.0.0', port=8443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '0.0.0.0' doesn't match None",),))
   

   事实证明，我在制作 openssl 证书时默认设置的那些行实际上很重要。稍微更正确（但可能仍然错误）的配置类似于

   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:.
   Locality Name (eg, city) []:.
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
   Organizational Unit Name (eg, section) []:.
   Common Name (e.g. server FQDN or YOUR name) []:0.0.0.0
   Email Address []:.
   

   让我得到了结果：

   import requests
   requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
   
   SubjectAltNameWarning: Certificate for 0.0.0.0 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
   

   看起来 'subjectAltName' 有点难添加，需要比简单命令更多的工作，你会想要遵循像 this 这样的指南，我会的尝试一下，看看错误是否消失。

2. 我认为我错误地使用了 ssl.Purpose.CLIENT/SERVER_AUTH，正如@Andrej 所提到的，我将其切换（如下所示）并进行了一些其他更改，现在我得到了正确的反应。我就这么说吧，我肯定还是不明白ssl.Purpose，但至少我现在有一些可以用的东西，希望我能及时弄清楚剩下的。
   client.py

   import aiohttp
   import asyncio
   import ssl
   
   
   async def main():
       sslcontext = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile='domain_srv.crt')
       async with aiohttp.ClientSession() as session:
           async with session.get("https://0.0.0.0:8443/JOHNYY", ssl=sslcontext) as response:
               html = await response.read()
               print(html)
   
   loop = asyncio.get_event_loop()
   loop.run_until_complete(main())
   

   server.py

   from aiohttp import web
   import ssl
   
   async def handle(request):
       name = request.match_info.get('name', "Anonymous")
       text = "Hello, " + name
       return web.Response(text=text)
   
   app = web.Application()
   app.add_routes([web.get('/', handle),
                   web.get('/{name}', handle)])
   
   ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
   ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')
   web.run_app(app, ssl_context=ssl_context)
   

   commandline

   >python3 server.py
   # Switch to a new window/pane
   >python3 client.py
   b'Hello, JOHNYY'
   

编辑： 我只是想 post 为正在处理此类问题的任何人提供更新。我认为使用 python 加密库是生成 crt/key 文件的更好方法，所以如果您有兴趣，请随意使用 use/modify 这个模板（我不保证这些是最好的实践）：

#!/usr/bin/env python
"""
stuff for network security
"""

import socket
import datetime

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes

import attr


@attr.s(auto_attribs=True)
class Netsec:
    hostname: str = attr.Factory(socket.gethostname)
    out_file_name: str = "domain_srv"

    def generate_netsec(self):
    # GENERATE KEY
        key = rsa.generate_private_key(
            public_exponent=65537,
            key_size=2048,
            backend=default_backend(),
        )

        with open(f"{self.out_file_name}.key", "wb") as f:
            f.write(key.private_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PrivateFormat.TraditionalOpenSSL,
                encryption_algorithm=serialization.NoEncryption(),
            ))

        subject = issuer = x509.Name([
            x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
            x509.NameAttribute(NameOID.LOCALITY_NAME, u"Wala Wala"),
            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"A place"),
            x509.NameAttribute(NameOID.COMMON_NAME, self.hostname),
        ])

        cert = x509.CertificateBuilder().subject_name(
            subject
        ).issuer_name(
            issuer
        ).public_key(
            key.public_key()
        ).serial_number(
            x509.random_serial_number()
        ).not_valid_before(
            datetime.datetime.utcnow()
        ).not_valid_after(
            # Our certificate will be valid for 5 years
            datetime.datetime.utcnow() + datetime.timedelta(days=365*5)
        ).add_extension(
            x509.SubjectAlternativeName([
                x509.DNSName(u"localhost"),
                x509.DNSName(self.hostname),
                x509.DNSName(u"127.0.0.1")]),
            critical=False,
        # Sign our certificate with our private key
        ).sign(key, hashes.SHA256(), default_backend())

        with open(f"{self.out_file_name}.crt", "wb") as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

Answer 1

您正在创建证书，但没有将它们加载到 SSL 链中。并将您的 ssl_context 创作从 ssl.Purpose.SERVER_AUTH 更改为 ssl.Purpose.CLIENT_AUTH:

from aiohttp import web
import ssl

async def handle(request):
    name = request.match_info.get('name', "Anonymous")
    text = "Hello, " + name
    return web.Response(text=text)

app = web.Application()
app.add_routes([web.get('/', handle),
                web.get('/{name}', handle)])


ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')

web.run_app(app, ssl_context=ssl_context)

当您运行您的服务器时，客户端将在连接时打印：

b'Hello, Anonymous'