Python Websockets创建pem文件

Posted

技术标签:

【中文标题】Python Websockets创建pem文件【英文标题】:Python Websockets create pem file 【发布时间】:2020-05-21 22:29:57 【问题描述】:

您好,我正在使用 python 库 Websockets。在开发中一切正常,但在服务器上它崩溃了,因为它需要使用 WSS。上面的链接给出了一个如何做到这一点的例子:

#!/usr/bin/env python

# WSS (WS over TLS) server example, with a self-signed certificate

import asyncio
import pathlib
import ssl
import websockets

async def hello(websocket, path):
    name = await websocket.recv()
    print(f"< name")

    greeting = f"Hello name!"

    await websocket.send(greeting)
    print(f"> greeting")

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
localhost_pem = pathlib.Path(__file__).with_name("localhost.pem")
ssl_context.load_cert_chain(localhost_pem)

start_server = websockets.serve(
    hello, "localhost", 8765, ssl=ssl_context
)

asyncio.get_event_loop().run_until_complete(start_server)
asyncio.get_event_loop().run_forever()

这段代码很简单,但我完全不知道如何生成它想要的文件(服务器和客户端)。我研究了“创建 pem 文件”但无济于事,并且收到了各种 ssl 错误。有人可以解释如何为此应用程序创建 pem 文件吗?谢谢

编辑: 根据我使用的答案

sudo openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

这创建了两个文件。

我的服务器现在通过以下方式成功监听:

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
path_cert = pathlib.Path(__file__).with_name("cert.pem")
path_key = pathlib.Path(__file__).with_name("key.pem")
ssl_context.load_cert_chain(path_cert, keyfile=path_key)

print("Listening for connection...")
start_server = websockets.serve(handler, HOSTNAME, PORT, ssl=ssl_context)

我唯一遇到的问题是让客户端连接,我尝试:

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
path_cert = pathlib.Path(__file__).with_name("cert.pem")
ssl_context.load_cert_chain(path_cert)

async with websockets.connect(uri, ssl=ssl_context) as websocket:

但我得到了错误:ssl.SSLError: [SSL] PEM lib (_ssl.c:3854)

我也试过了:

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
path_cert = pathlib.Path(__file__).with_name("cert.pem")
path_key = pathlib.Path(__file__).with_name("key.pem")
ssl_context.load_cert_chain(path_cert, keyfile=path_key)

async with websockets.connect(uri, ssl=ssl_context) as websocket:

并得到错误ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)

编辑2: 根据答案,我为客户尝试了这个:

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ssl_context.load_verify_locations()

async with websockets.connect(uri, ssl=ssl_context) as websocket:

这会产生一个新错误:TypeError: cafile, capath and cadata cannot be all omitted

尝试第二个建议:

ssl_context = ssl.create_default_context()
ssl_context.load_verify_locations(certifi.where())

async with websockets.connect(uri, ssl=ssl_context) as websocket:

产生错误:ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)

编辑3: 最终的工作客户:

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
path_cert = pathlib.Path(__file__).with_name("cert.pem")
ssl_context.load_verify_locations(path_cert)

async with websockets.connect(uri, ssl=ssl_context) as websocket:

【问题讨论】:

【参考方案1】:

PEM 文件包含一些关于公钥或|和私钥或证书的内容,并且它具有 base64 编码的数据位。 PEM 表示用于邮件安全标准的隐私增强邮件。它包括表单的页眉和页脚行

Create PEM

如何创建自签名 PEM 文件

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

如何从形成链的现有证书文件创建 PEM 文件 (可选)按照下列步骤从私钥中删除密码:

openssl rsa -in server.key -out nopassword.key

如何借助自动化脚本创建 PEM 文件:

    下载 NetIQ Cool Tool OpenSSL-Toolkit。

    选择创建证书 |具有密钥和整个信任链的 PEM

    提供包含证书文件的目录的完整路径。

    提供以下文件名:私钥公钥(服务器crt)(条件)私钥密码(条件)任意 中间证书链文件

你会得到这样的东西:

-----BEGIN RSA PRIVATE KEY----- 
(Private Key: domain_name.key contents) 
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- 
(Primary SSL certificate: domain_name.crt contents) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Intermediate certificate: certChainCA.crt contents) 
-----END CERTIFICATE----

你可以解码:

openssl x509 -in cert.pem -text -noout

你会得到这样的东西:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = BE, O = GnuTLS, OU = GnuTLS certificate authority, ST = Leuven, CN = GnuTLS certificate authority
        Validity
            Not Before: May 23 20:38:21 2011 GMT
            Not After : Dec 22 07:41:51 2012 GMT
        Subject: C = BE, O = GnuTLS, OU = GnuTLS certificate authority, ST = Leuven, CN = GnuTLS certificate authority
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:52:d8:8d:23:8a:e3:67:d7:86:36:b1:20:0b:09:
                    7d:c8:c9:ba:a2:20:95:2f:c5:4a:63:fa:83:5f:ce:
                    78:2f:8f:f3:62:ca:fd:b7:f7:80:56:9d:6e:17:b9:
                    0e:11:4c:48:b2:c0:af:3b:59:17:16:30:68:09:07:
                    99:17:fe:dd:a7
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                F0:B4:81:FE:98:12:BF:B5:28:B9:64:40:03:CB:CC:1F:66:4E:28:03
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:31:ae:c0:3d:4a:3f:21:be:85:17:fc:f0:c7:b2:
         31:07:2a:38:56:43:d1:36:d5:95:e1:7e:52:c0:06:43:87:a7:
         02:21:00:97:8c:0e:b8:3c:0a:41:af:ae:a5:cf:06:7e:d5:c4:
         d8:2f:ff:e2:62:80:34:10:ba:22:dd:35:81:46:93:22:9a

Create PEM File

对于您写的客户部分:

ssl_context.load_cert_chain(path_cert, keyfile=path_key)

替换它:

import json
import asyncio
import websockets
import ssl
import certifi


ssl_context = ssl.create_default_context()
ssl_context.load_verify_locations(certifi.where())


query =  
    "jsonrpc": "2.0",
    "method": "queryHeadsets",
    "params": ,
    "id": 1
    
json = json.dumps(query)

async def query(json):

    async with websockets.connect("wss://yourserver.com:54321", ssl=ssl_context) as ws:
        await ws.send(json)
        response = await ws.recv()
        print(response)

asyncio.get_event_loop().run_until_complete(query(json))

【讨论】:

在第 3 步中,该目录中应包含哪些文件? 这取决于您是否有现有的证书文件,我更新了我的答案。 服务器现在可以工作了,谢谢,你能看看我的编辑来帮助客户端吗 很好,在您的客户端代码中替换 SSLContext.load_verify_locations() 试试这个:import certifi/ssl_context = ssl.create_default_context()/ssl_context.load_verify_locations(certifi.where())

以上是关于Python Websockets创建pem文件的主要内容,如果未能解决你的问题,请参考以下文章

为推送通知创建.pem 文件?

修改 nginx 配置以正确反向代理 websockets

从 PPK 文件创建 PEM [重复]

Python下RSA加密/解密, 签名/验证

将 JavaScript 通过 websockets 发送的最后一个字符剥离到 Python

Linux 使用阿里云pem文件、key、RAS登陆连接。