无法从Tornado Client连接到基于Tornado SSL的服务器
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了无法从Tornado Client连接到基于Tornado SSL的服务器相关的知识,希望对你有一定的参考价值。
我是ssl和stuff的新手,我使用openssl生成了自签名证书。
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem
服务器具有以下代码。
if __name__ == "__main__":
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.load_cert_chain("/home/rootkit/ssl/certificate.pem",
"/home/rootkit/ssl/key.pem")
http_server = tornado.httpserver.HTTPServer(Application(), ssl_options=context)
#
# http_server = tornado.httpserver.HTTPServer(Application(), ssl_options={
# 'certfile': '/home/rootkit/ssl/certificate.pem',
# 'keyfile': '/home/rootkit/ssl/key.pem',
# })
http_server.listen(8888)
tornado.ioloop.IOLoop.current().start()
当我从chrome访问url时,它只是提供异常,因为它没有被任何权限签名所以我继续它是不安全的。
但是,如果我通过wireshark看到流量,它会显示加密的流量。
但是当我尝试连接Tornado Client时,它会抛出以下错误。
WARNING:tornado.general:SSL Error on 6 ('127.0.0.1', 8888): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
ERROR:tornado.application:Exception in callback functools.partial(<function wrap.<locals>.null_wrapper at 0xb72e514c>, <Task finished coro=<check_status() done, defined at /home/rootkit/PycharmProjects/websocketserver/file_upload/websocketclient.py:82> exception=SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)')>)
Traceback (most recent call last):
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 758, in _run_callback
ret = callback()
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/stack_context.py", line 300, in null_wrapper
return fn(*args, **kwargs)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 779, in _discard_future_result
future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/usr/lib/python3.5/asyncio/tasks.py", line 241, in _step
result = coro.throw(exc)
File "/home/rootkit/PycharmProjects/websocketserver/file_upload/websocketclient.py", line 89, in check_status
param = await client.fetch(request)
File "/usr/lib/python3.5/asyncio/futures.py", line 361, in __iter__
yield self # This tells Task to wait for completion.
File "/usr/lib/python3.5/asyncio/tasks.py", line 296, in _wakeup
future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/simple_httpclient.py", line 272, in run
max_buffer_size=self.max_buffer_size)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1133, in run
value = future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1141, in run
yielded = self.gen.throw(*exc_info)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/tcpclient.py", line 242, in connect
server_hostname=host)
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/gen.py", line 1133, in run
value = future.result()
File "/usr/lib/python3.5/asyncio/futures.py", line 274, in result
raise self._exception
File "/home/rootkit/.local/lib/python3.5/site-packages/tornado/iostream.py", line 1501, in _do_ssl_handshake
self.socket.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
这是客户端代码。
async def check_status():
url = "https://127.0.0.1:8888/"
request = httpclient.HTTPRequest(url=url,
method="GET",
client_key="/home/rootkit/client.key",
client_cert="/home/rootkit/ssl/client.pem")
client = httpclient.AsyncHTTPClient()
param = await client.fetch(request)
print(param)
我使用我用于服务器的came命令生成了客户端证书。
可能是什么问题。我错过了什么?
我从github回购中得到了答案,
“客户端”证书是完全不同的东西:服务器验证客户端的一种方式,即所谓的“相互身份验证”。在这种情况下,它不执行任何操作,因为服务器未设置为检查客户端的证书。它不会导致客户端跳过服务器证书的验证。要像执行chrome一样执行此操作,请使用validate_cert = False。
(标准免责声明,当您将此代码转换为某些真实产品或服务时,您需要确保不会意外地将validate_cert = False留下)
所以我只需要删除证书的客户端验证。
对于“实际生产使用”,您可能希望为您的真实DNS域生成真正的可信服务器证书,例如使用“Let's Encrypt”。
validate_cert=False
将加密流量但不验证证书?
所以我改变了我的客户
async def check_status():
url = "https://127.0.0.1:8888/"
request = httpclient.HTTPRequest(url=url,
method="GET",
validate_cert=False)
client = httpclient.AsyncHTTPClient()
param = await client.fetch(request)
print(param.body)
以上是关于无法从Tornado Client连接到基于Tornado SSL的服务器的主要内容,如果未能解决你的问题,请参考以下文章
无法使用 mod_wsgi 从 python wsgi 连接到 pymssql