无法从 Tornado Client 连接到基于 Tornado SSL 的服务器
Unable to connect to the Tornado SSL based server from Tornado Client
我是 ssl 之类的新手,我已经使用 openssl.
生成了自签名证书
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem
其中 Server 具有以下代码。
if __name__ == "__main__":
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.load_cert_chain("/home/rootkit/ssl/certificate.pem",
"/home/rootkit/ssl/key.pem")
http_server = tornado.httpserver.HTTPServer(Application(), ssl_options=context)
#
# http_server = tornado.httpserver.HTTPServer(Application(), ssl_options={
# 'certfile': '/home/rootkit/ssl/certificate.pem',
# 'keyfile': '/home/rootkit/ssl/key.pem',
# })
http_server.listen(8888)
tornado.ioloop.IOLoop.current().start()
当我从 chrome 访问 url 时,它只是给出了异常,因为它没有被任何权威机构签名,所以我认为它是不安全的。
但是如果我通过 wireshark 看到流量,它会显示加密流量。
但是当我尝试连接 Tornado Client 时,它抛出以下错误。
WARNING:tornado.general:SSL Error on 6 ('127.0.0.1', 8888): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
ERROR:tornado.application:Exception in callback functools.partial(<function wrap.<locals>.null_wrapper at 0xb72e514c>, <Task finished coro=<check_status() done, defined at /home/rootkit/PycharmProjects/websocketserver/file_upload/websocketclient.py:82> exception=SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)')>)
Traceback (most recent call last):
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 758, in _run_callback
ret = callback()
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/stack_context.py", line 300, in null_wrapper
return fn(*args, **kwargs)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 779, in _discard_future_result
future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/usr/lib/python3.5/asyncio/tasks.py", line 241, in _step
result = coro.throw(exc)
File "/home/rootkit/PycharmProjects/websocketserver/file_upload/websocketclient.py", line 89, in check_status
param = await client.fetch(request)
File "/usr/lib/python3.5/asyncio/futures.py", line 361, in __iter__
yield self # This tells Task to wait for completion.
File "/usr/lib/python3.5/asyncio/tasks.py", line 296, in _wakeup
future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/simple_httpclient.py", line 272, in run
max_buffer_size=self.max_buffer_size)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1133, in run
value = future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1141, in run
yielded = self.gen.throw(*exc_info)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/tcpclient.py", line 242, in connect
server_hostname=host)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1133, in run
value = future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/iostream.py", line 1501, in _do_ssl_handshake
self.socket.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
这是客户端代码。
async def check_status():
url = "https://127.0.0.1:8888/"
request = httpclient.HTTPRequest(url=url,
method="GET",
client_key="/home/rootkit/client.key",
client_cert="/home/rootkit/ssl/client.pem")
client = httpclient.AsyncHTTPClient()
param = await client.fetch(request)
print(param)
我已经使用用于服务器的 came 命令生成了客户端证书。
可能是什么问题。
我缺少什么?
我从 github 回购中得到了答案,即
The "client" certificate is a totally different thing: a way for the server to authenticate the client, so called "mutual authentication". It does nothing in this case because the server is not set up to check the client's certificate. It does not cause the client to skip validation of the server's certificate. To do that like you do for chrome, use validate_cert=False.
(standard disclaimer that you need to make sure that you don't accidentally leave validate_cert=False in when this code makes it into some real-world product or service)
所以我只需要删除证书的客户端验证。
For "real production use" you probably want to generate a real trusted server certificate for your real dns domain, for example with "Let's Encrypt".
validate_cert=False 将加密流量但不验证证书?
所以我把我的客户端改成了
async def check_status():
url = "https://127.0.0.1:8888/"
request = httpclient.HTTPRequest(url=url,
method="GET",
validate_cert=False)
client = httpclient.AsyncHTTPClient()
param = await client.fetch(request)
print(param.body)
我是 ssl 之类的新手,我已经使用 openssl.
生成了自签名证书openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem
其中 Server 具有以下代码。
if __name__ == "__main__":
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.load_cert_chain("/home/rootkit/ssl/certificate.pem",
"/home/rootkit/ssl/key.pem")
http_server = tornado.httpserver.HTTPServer(Application(), ssl_options=context)
#
# http_server = tornado.httpserver.HTTPServer(Application(), ssl_options={
# 'certfile': '/home/rootkit/ssl/certificate.pem',
# 'keyfile': '/home/rootkit/ssl/key.pem',
# })
http_server.listen(8888)
tornado.ioloop.IOLoop.current().start()
当我从 chrome 访问 url 时,它只是给出了异常,因为它没有被任何权威机构签名,所以我认为它是不安全的。
但是如果我通过 wireshark 看到流量,它会显示加密流量。
但是当我尝试连接 Tornado Client 时,它抛出以下错误。
WARNING:tornado.general:SSL Error on 6 ('127.0.0.1', 8888): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
ERROR:tornado.application:Exception in callback functools.partial(<function wrap.<locals>.null_wrapper at 0xb72e514c>, <Task finished coro=<check_status() done, defined at /home/rootkit/PycharmProjects/websocketserver/file_upload/websocketclient.py:82> exception=SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)')>)
Traceback (most recent call last):
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 758, in _run_callback
ret = callback()
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/stack_context.py", line 300, in null_wrapper
return fn(*args, **kwargs)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 779, in _discard_future_result
future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/usr/lib/python3.5/asyncio/tasks.py", line 241, in _step
result = coro.throw(exc)
File "/home/rootkit/PycharmProjects/websocketserver/file_upload/websocketclient.py", line 89, in check_status
param = await client.fetch(request)
File "/usr/lib/python3.5/asyncio/futures.py", line 361, in __iter__
yield self # This tells Task to wait for completion.
File "/usr/lib/python3.5/asyncio/tasks.py", line 296, in _wakeup
future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/simple_httpclient.py", line 272, in run
max_buffer_size=self.max_buffer_size)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1133, in run
value = future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1141, in run
yielded = self.gen.throw(*exc_info)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/tcpclient.py", line 242, in connect
server_hostname=host)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1133, in run
value = future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/iostream.py", line 1501, in _do_ssl_handshake
self.socket.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
这是客户端代码。
async def check_status():
url = "https://127.0.0.1:8888/"
request = httpclient.HTTPRequest(url=url,
method="GET",
client_key="/home/rootkit/client.key",
client_cert="/home/rootkit/ssl/client.pem")
client = httpclient.AsyncHTTPClient()
param = await client.fetch(request)
print(param)
我已经使用用于服务器的 came 命令生成了客户端证书。
可能是什么问题。 我缺少什么?
我从 github 回购中得到了答案,即
The "client" certificate is a totally different thing: a way for the server to authenticate the client, so called "mutual authentication". It does nothing in this case because the server is not set up to check the client's certificate. It does not cause the client to skip validation of the server's certificate. To do that like you do for chrome, use validate_cert=False.
(standard disclaimer that you need to make sure that you don't accidentally leave validate_cert=False in when this code makes it into some real-world product or service)
所以我只需要删除证书的客户端验证。
For "real production use" you probably want to generate a real trusted server certificate for your real dns domain, for example with "Let's Encrypt".
validate_cert=False 将加密流量但不验证证书?
所以我把我的客户端改成了
async def check_status():
url = "https://127.0.0.1:8888/"
request = httpclient.HTTPRequest(url=url,
method="GET",
validate_cert=False)
client = httpclient.AsyncHTTPClient()
param = await client.fetch(request)
print(param.body)