I'm trying to connect to web server that uses HTTPS client certificate authentication. It works fine when i use curl:

我正在尝试连接使用HTTPS客户端证书身份验证的web服务器。我用卷发的时候效果很好:

leo@leo-VirtualBox:~/development/pki-client$ curl --key admin.privkey.pem --cert admin.crt -k --url "https://ca.cloud.leotr.org/"
<!DOCTYPE html>
<html>
<head>
    <title>Welcome to CA</title>
    <link href="/static/bootstrap/css/bootstrap.min.css"  rel="stylesheet"/>
</head>
<body>

<div class="container">
    <h1>REMS CA server</h1>
    <p class="lead">Hello and welcome to REMS CA. Currently this page is
        almost empty. But you can download CA root certificate and install it
    into your browser ;)</p>
    <a class="btn btn-large btn-primary" href="/remspki/cacert/">Download CA certificate</a>
    <a class="btn btn-large" href="/admin/">Go to Admin site <i class="icon-arrow-right"></i>    </a>
</div>

</body>
</html>

Client private key file contents

客户端私钥文件内容

leo@leo-VirtualBox:~/development/pki-client$ cat admin.privkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdN
ggw/D70jEfc7dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrg
EtRLyFFv3OB1sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qo
Ll7aBIpbugFew6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2
XUUMOqi+/jFmiXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi
/JR8dsm985c5KPLIxWVGK0VKC67catEY5j/70wIDAQABAoIBAAF+RwOhFmQIcBU7
kywMZ7XetGB6OTzSpBzzu5sjzLq4qqWtxfU00mL3gUzJPuQGE3Ldq986nhbR/mn3
6BkFpatsa8ypn0W9hYC8AK3KPPsmvGs+yCt/Lisxdv9PmcZc49LhWOtMBTMiYtFH
iTJdV5ToGT6kNirdLscxtCHsVe21EH2TMO4k06bK18UJFewswsyMN66FKX0wSF9w
yZ/9A9VJOaUOXo6Mos/tvyf9rjhOqb02DOqOuWVVFRWWax75+M2qKnacSuKfMPfc
21B3ulQRIcR7PjIVIMTZkLO+MjD7DBiywIcD50H1005cL05a8latjXdENY5Xeh9Z
duS4I5ECgYEA3BzbGf45gDzZWTeTjnfQ/9m3MuGmAzAG2zjStFQnquiMyH0IZzSB
/awKJxXcdO7cUXfjOWxIgA7nNj+ewOUXj5uQH9F+8cl+raxyEsixdPwfSzCyLcwD
Zp2SsoXKPRx12SrAbl5wQqePN6+pntLRmW8xfUKFZAhs5CtxQ6bymBkCgYEA1L+V
zas85TUITqZi0//lmdqWdfRhkHdIBkLsHxRE4RnEsfGqvy3XQZTQ0zLGjz4WtUSq
xjh0rK6jMGEGGypRM8G0kpfBpGFYu9Hy8hpFKDwnihfk/XnuaXBLiN82V8vVWGrl
tc5DrTHCxVbVW99W7IaVVLgY/D0kFI/195yYYMsCgYBGTIUBmTs+JLD6GJDs6IF8
pUkoW/8Md5NJAq3w4AvHPvxvr9c2NwPpQ7/+WbIOOpdtAZA1r8q784aOweTvEHvk
5rcyIlOb31GxIClSrHxYs4k/F29gxw6zAFJw59/+go90632IAmtyLlfEXjsbOZOt
oGC687rshvBYMzO6eqBySQKBgQCDG95x9Ql+J4SLE7br91PD0RXQc1587UWRtkRV
kuQv5PV2w/v5/YIehFt9DFmZhSXxZ/PmXHxqvuUKt4BP1XBdeQ6TGLrZVrScavJR
iSb9eLTVQYx5OV9X00B5hTW0PYWpC5esxwSmA3iIrM6n46dp9DarExkyuWs20NFA
W1z8qQKBgGD2XiB/N9QRVNW0CpuVgWx3HBllJpXT2QMeCx57AEeCmOnSkByyvYmR
Aszu2CQn2ynHO+3B46uJ+Sg2pmcEjvUrhERhRT23lpZY8VDGpfVjfQcqfVhwzrHQ
Y2kf6WV+C32klQ6bKOwwO9TavvKCloiENJfbRdLvGvswBVgnWlGW
-----END RSA PRIVATE KEY-----

Client certificate

客户端证书

leo@leo-VirtualBox:~/development/pki-client$ cat admin.crt
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMRIwEAYKCZImiZPyLGQB
GRYCS1oxGDAWBgoJkiaJk/IsZAEZFghSQUlMV0FZUzEUMBIGCgmSJomT8ixkARkW
BFJFTVMxCzAJBgNVBAMTAkNBMB4XDTEyMTIyODIyNTI1MFoXDTE3MTIyNzIyNTI1
MFowbjESMBAGCgmSJomT8ixkARkWAktaMRgwFgYKCZImiZPyLGQBGRYIUkFJTFdB
WVMxFDASBgoJkiaJk/IsZAEZFgRSRU1TMSgwEgYDVQQDEwtMZW8gVHJ1YmFjaDAS
BgoJkiaJk/IsZAEBEwRBMDAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdNggw/D70jEfc7
dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrgEtRLyFFv3OB1
sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qoLl7aBIpbugFe
w6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2XUUMOqi+/jFm
iXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi/JR8dsm985c5
KPLIxWVGK0VKC67catEY5j/70wIDAQABoz8wPTAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIC/DAdBgNVHQ4EFgQUbmKGUje1HCUQVd//jZjJmgYJ2mswDQYJKoZI
hvcNAQEFBQADggEBALJEtadF5zPh6pJzj0c2vLISnZ4jBi6aaCOvz1Ph2gFrI9te
mvXVnlFLe7JJxStDlLurQ+hLqY9Q8vIczAEp2r9uJyfBpeHsc0YP6UbOXg6WLHLl
fU0tKb9PqfcMwfKUH8Nb6Q6Kt5EuQzIraYweXHNyOiKSB3ZogjPVdZnoe5gXYUpG
5cE8k2SjGVEWxc94ygcbiN+ziaUz/jos+TwqgsBp+yel0frO3DKGqQjfuOLgeTpf
xaNlPXdzFfEn0VWva36skrRzHNwZESI/Dd626eyUfxuTLLq5+Gb1D8WZj5RRqu1n
I9cZs9gCmZswWQy2/cExRPhgSWbwUWOhOCQsFVo=
-----END CERTIFICATE-----

Python code:

Python代码:

leo@leo-VirtualBox:~/development/pki-client$ cat httpstest.py 
from httplib import HTTPSConnection
from config import ADMIN_CERT, ADMIN_KEY

h = HTTPSConnection(
    'ca.cloud.leotr.org', 443, key_file=ADMIN_KEY, cert_file=ADMIN_CERT)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
print(resp.read())

Output:

输出:

leo@leo-VirtualBox:~/development/pki-client$ python httpstest.py 
400
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>

Let's try more level Python code

让我们尝试更高级的Python代码

leo@leo-VirtualBox:~/development/pki-client$ cat ssltest.py 
from config import ADMIN_CERT, ADMIN_KEY
import socket
import ssl

sock = socket.create_connection(('ca.cloud.leotr.org', 443), None)
print('Admin key: ', ADMIN_KEY)
print('Admin cert', ADMIN_CERT)
sslsock = ssl.wrap_socket(
    sock, keyfile=ADMIN_KEY, certfile=ADMIN_CERT)
request = ('GET / HTTP/1.1',
           'Host: ca.cloud.leotr.org',
           'Accept: text/html',
           'Accept-Encoding: gzip,deflate,sdch')
request_body = '\n'.join(request) + '\n'*2
sslsock.write(request_body)
response = sslsock.read()
print response

Python result

Python的结果

leo@leo-VirtualBox:~/development/pki-client$ python ssltest.py
('Admin key: ', 'admin.privkey.pem')
('Admin cert', 'admin.crt')
HTTP/1.1 400 Bad Request
Server: nginx/1.1.19
Date: Fri, 04 Jan 2013 04:59:52 GMT
Content-Type: text/html
Content-Length: 231
Connection: close

<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>

So i can't understand what's wrong.

所以我不明白是怎么回事。

1 个解决方案

#1

0

The problem here is that you're trying to connect to a CA that isn't in the default CA list. Since the CA site's cert is signed by the CA, the site cannot be visited over SSL until you first download the cert and install it.

这里的问题是您正在尝试连接一个不在默认CA列表中的CA。由于CA站点的cert是由CA签名的,所以在您首先下载cert并安装它之前,不能通过SSL访问该站点。

The HTML result shows that there are instructions to "download CA root certificate and install it into your browser". If you don't do that, you get an error from your browser saying something like:

HTML结果显示有“下载CA根证书并将其安装到浏览器”的指令。如果你不这么做,你的浏览器就会出现错误,比如:

Safari can't verify the identity of the website "ca.cloud.leotr.org".

Safari无法验证“ca.cloud.leotr.org”网站的身份。

The certificate for this website is invalid. You might be connecting to a website that is pretending to be "ca.cloud.leotr.org", which could put your confidential information at risk. Would you like to connection to the website anyway?

本网站证书无效。你可能正在连接一个假装是“ca.cloud.leotr.org”的网站,这可能会使你的机密信息处于危险之中。你想要连接到这个网站吗?

Likewise, if you try it with curl, you get the same error:

同样的,如果你用curl来尝试,你会得到同样的错误:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html

curl: (60) SSL证书问题,验证CA证书是否正确。详细信息:错误:14090086:SSL例程:SSL3_GET_SERVER_CERTIFICATE:certificate verify verify failed Details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

curl默认执行SSL证书验证,使用证书颁发机构(CA)公钥(CA certs)的“包”。如果默认的bundle文件不够用,可以使用-cacert选项指定另一个文件。如果这个HTTPS服务器使用由包中表示的CA签名的证书,那么证书验证可能会由于证书的问题而失败(证书可能过期,或者名称可能与URL中的域名不匹配)。如果您想关闭curl对证书的验证,请使用-k(或——不安全)选项。

The only reason this is working for curl is that you've specified the -k flag, aka --insecure. From the man page:

这对curl有效的唯一原因是您已经指定了-k标志,即——不安全。从手册页:

-k, --insecure

- k,没有安全感

(SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used.

(SSL)此选项显式地允许curl执行“不安全”SSL连接和传输。所有SSL连接都试图通过使用默认安装的CA证书包来确保安全。这将使所有被认为是“不安全的”连接失败,除非使用-k, - secure。

See this online resource for further details:
http://curl.haxx.se/docs/sslcerts.html

详情请参阅此在线资源:http://curl.haxx.se/docs/sslcerts.html

And again, in your Python code, you're getting the same error.

同样,在Python代码中,你会得到相同的错误。

The solution, in all three cases, is the same: Download the CA's cert and put it in your cert store (or explicitly use it in place of your default cert store).

在这三种情况下,解决方案都是相同的:下载CA的证书并将其放入您的cert存储(或者显式地使用它代替您的默认cert存储)。

更多相关文章

  1. 应用Python开发WebService服务端及客户端
  2. python模拟mysql多客户端并发操作
  3. linux socket网络编程:fcntl select(多个客户端连接服务器端情形)
  4. linux apache安装https证书
  5. Linux网络编程-客户端与服务器端通信(Echo)
  6. 如果后台的SVN服务器IP地址更改了,如何修改客户端的连接url呢?
  7. linux下搭建oracle 12c客户端
  8. Linux下SVN服务器安装配置及客户端安装说明
  9. 像wget-like bittorrent客户端还是库?

随机推荐

  1. 用Python和Tableau对母婴商品销量进行数
  2. 浅议 Promise/Futures 模型 [每日前端夜
  3. 1-20
  4. 现代浏览器探秘(part3):渲染 [每日前端夜
  5. 自学系列 | 就谈知识体系!
  6. Python异步爬虫进阶必备,效率杠杠的!
  7. Ansible 之 外部变量文件调用
  8. JavaScript的工作原理:引擎、运行时和调用
  9. 图解「剑指Offer」之二维数组中的查找
  10. 超简单的博弈算法题,一行代码解决!