EE 证书密钥太弱 (_ssl.c:1131)
EE certificate key too weak (_ssl.c:1131)
我在我的 Modbus 应用程序中使用 python 3.8 客户端示例,但出现如下错误:
self._sock = context.wrap_socket(self._sock, server_hostname=self._host)
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1131)
我添加了连接代码:
def _do_open(self):
"""Connect to the Modbus slave"""
if self._sock:
self._sock.close()
self._sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_timeout(self.get_timeout())
self._sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
call_hooks("modbus_tcp.TcpMaster.before_connect", (self, ))
context = SSLContext(ssl.PROTOCOL_TLS_CLIENT)
# context.options |= ssl.OP_NO_SSLv3
context.options |= ssl.OP_NO_TLSv1
# context.options |= ssl.OP_NO_TLSv1_1
context.load_verify_locations('cert.pem')
context.check_hostname = False
# context.verify_mode = ssl.CERT_NONE
# with create_connection((self._host, self._port)) as self._sock:
self._sock.connect((self._host, self._port))
# time.sleep(4)
# print("db:1")
self._sock = context.wrap_socket(self._sock, server_hostname=self._host)
# # print("db:2")
# call_hooks("modbus_tcp.TcpMaster.after_connect", (self, ))
如果我为解决方法添加了 context.verify_mode = ssl.CERT_NONE 行,它会成功运行,但它不是正确的方法。我该如何解决这个问题?
这是服务器中的证书和密钥; (我在 github 上找到的示例密钥和证书)
const char *privkey = "-----BEGIN PRIVATE KEY-----\n"\
"MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAhD0FKNdH91c8Vis0\n"\
"T7Pli3Grb+BM5xA1V/iNTGer5WSwJlAab6lJ6NNh7R15AXOO7XODOs58ikmEqgWi\n"\
"wacQfwIDAQABAkAG4KeSirPO/OYB80hKtugC2xwX+vn08IZdt2sd5Kxvhzvmp9eM\n"\
"F4QhlQLHOMrk5LkM7FF0G3FgZHlOAZAVbQTtAiEA6SOLWEpnCCEkkCLMmZTcwzV0\n"\
"cX9c7ngnOF/xwIn8IT0CIQCRNJVZ3YcJoXFuOCdUid8qOqdatCDkV8TQNxXxPVSc\n"\
"awIgR1fIMXl7NAKoZK8xeyIRuG7oNj8qWhNMtTSvDyNqk2UCIGgVWi0ldwN3Pviz\n"\
"tbWKcnYxvv5sedtT8pcRtV/MB5drAiBZSqkW9Ha37EObdrctWBvBvHtUp8k9XOy6\n"\
"1X0wxUy5BQ==\n"\
"-----END PRIVATE KEY-----\n";
const char *cert = "-----BEGIN CERTIFICATE-----\n"\
"MIIB2jCCAYSgAwIBAgIIU3U2E0/GMUowDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UE\n"\
"AwwPU3RyYWlnaHQgUm9vdENBMB4XDTIwMTExNTAwMDAwMFoXDTQwMTExNTAwMDAw\n"\
"MFowGjEYMBYGA1UEAwwPU3RyYWlnaHQgU2VydmVyMFwwDQYJKoZIhvcNAQEBBQAD\n"\
"SwAwSAJBAIQ9BSjXR/dXPFYrNE+z5Ytxq2/gTOcQNVf4jUxnq+VksCZQGm+pSejT\n"\
"Ye0deQFzju1zgzrOfIpJhKoFosGnEH8CAwEAAaOBrTCBqjBJBgNVHSMEQjBAgBSD\n"\
"hOKzs+3Mo56OeliOMM0gQZgafKEepBwwGjEYMBYGA1UEAwwPU3RyYWlnaHQgUm9v\n"\
"dENBgghnEtSASbZ0HDAdBgNVHQ4EFgQUGroKNtRTXQ7nxeYSQlZq35oVQDQwDAYD\n"\
"VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASggZzZXJ2\n"\
"ZXKCCHN0cmFpZ2h0MA0GCSqGSIb3DQEBCwUAA0EAO02jJwxokR4CeA8DDJqp/9Qk\n"\
"0dim//+cjVTjxqIgUS5ykNW2CAIRuP5rVyzNv6U02F0q92Vs/754/ep+TyT70w==\n"\
"-----END CERTIFICATE-----\n";
您证书上 openssl x509 -text -in cert.pem 的输出显示:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (512 bit)
Modulus:
00:84:3d:05:28:d7:47:f7:57:3c:56:2b:34:4f:b3:
多年来,512 位 RSA 非常脆弱。这就是程序所抱怨的。您需要使用更强的密钥创建证书,例如至少 2048 位 RSA。
我在我的 Modbus 应用程序中使用 python 3.8 客户端示例,但出现如下错误:
self._sock = context.wrap_socket(self._sock, server_hostname=self._host)
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1131)
我添加了连接代码:
def _do_open(self):
"""Connect to the Modbus slave"""
if self._sock:
self._sock.close()
self._sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_timeout(self.get_timeout())
self._sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
call_hooks("modbus_tcp.TcpMaster.before_connect", (self, ))
context = SSLContext(ssl.PROTOCOL_TLS_CLIENT)
# context.options |= ssl.OP_NO_SSLv3
context.options |= ssl.OP_NO_TLSv1
# context.options |= ssl.OP_NO_TLSv1_1
context.load_verify_locations('cert.pem')
context.check_hostname = False
# context.verify_mode = ssl.CERT_NONE
# with create_connection((self._host, self._port)) as self._sock:
self._sock.connect((self._host, self._port))
# time.sleep(4)
# print("db:1")
self._sock = context.wrap_socket(self._sock, server_hostname=self._host)
# # print("db:2")
# call_hooks("modbus_tcp.TcpMaster.after_connect", (self, ))
如果我为解决方法添加了 context.verify_mode = ssl.CERT_NONE 行,它会成功运行,但它不是正确的方法。我该如何解决这个问题?
这是服务器中的证书和密钥; (我在 github 上找到的示例密钥和证书)
const char *privkey = "-----BEGIN PRIVATE KEY-----\n"\
"MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAhD0FKNdH91c8Vis0\n"\
"T7Pli3Grb+BM5xA1V/iNTGer5WSwJlAab6lJ6NNh7R15AXOO7XODOs58ikmEqgWi\n"\
"wacQfwIDAQABAkAG4KeSirPO/OYB80hKtugC2xwX+vn08IZdt2sd5Kxvhzvmp9eM\n"\
"F4QhlQLHOMrk5LkM7FF0G3FgZHlOAZAVbQTtAiEA6SOLWEpnCCEkkCLMmZTcwzV0\n"\
"cX9c7ngnOF/xwIn8IT0CIQCRNJVZ3YcJoXFuOCdUid8qOqdatCDkV8TQNxXxPVSc\n"\
"awIgR1fIMXl7NAKoZK8xeyIRuG7oNj8qWhNMtTSvDyNqk2UCIGgVWi0ldwN3Pviz\n"\
"tbWKcnYxvv5sedtT8pcRtV/MB5drAiBZSqkW9Ha37EObdrctWBvBvHtUp8k9XOy6\n"\
"1X0wxUy5BQ==\n"\
"-----END PRIVATE KEY-----\n";
const char *cert = "-----BEGIN CERTIFICATE-----\n"\
"MIIB2jCCAYSgAwIBAgIIU3U2E0/GMUowDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UE\n"\
"AwwPU3RyYWlnaHQgUm9vdENBMB4XDTIwMTExNTAwMDAwMFoXDTQwMTExNTAwMDAw\n"\
"MFowGjEYMBYGA1UEAwwPU3RyYWlnaHQgU2VydmVyMFwwDQYJKoZIhvcNAQEBBQAD\n"\
"SwAwSAJBAIQ9BSjXR/dXPFYrNE+z5Ytxq2/gTOcQNVf4jUxnq+VksCZQGm+pSejT\n"\
"Ye0deQFzju1zgzrOfIpJhKoFosGnEH8CAwEAAaOBrTCBqjBJBgNVHSMEQjBAgBSD\n"\
"hOKzs+3Mo56OeliOMM0gQZgafKEepBwwGjEYMBYGA1UEAwwPU3RyYWlnaHQgUm9v\n"\
"dENBgghnEtSASbZ0HDAdBgNVHQ4EFgQUGroKNtRTXQ7nxeYSQlZq35oVQDQwDAYD\n"\
"VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASggZzZXJ2\n"\
"ZXKCCHN0cmFpZ2h0MA0GCSqGSIb3DQEBCwUAA0EAO02jJwxokR4CeA8DDJqp/9Qk\n"\
"0dim//+cjVTjxqIgUS5ykNW2CAIRuP5rVyzNv6U02F0q92Vs/754/ep+TyT70w==\n"\
"-----END CERTIFICATE-----\n";
您证书上 openssl x509 -text -in cert.pem 的输出显示:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (512 bit)
Modulus:
00:84:3d:05:28:d7:47:f7:57:3c:56:2b:34:4f:b3:
多年来,512 位 RSA 非常脆弱。这就是程序所抱怨的。您需要使用更强的密钥创建证书,例如至少 2048 位 RSA。