我试图了解如何保护数据在通过服务器和工作服务器之间的开放网络后被更改
在我的脑海中,我在想它应该遵循以下内容:
|server|---send_job----->|worker|
| |<--send_results--| |
| | | |
| |-send_kill_req-->| |
很明显,我不希望有人改变我的行为做恶事,我不希望有人偷看我的结果 .
所以我有一个超级简单的客户端/服务器设置,我正在尝试实现 ssl 但我完全迷失了 .
下面是我尝试过的最基本的东西,但我也试过通过以下方式实现我自己的ssl证书:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout domain_srv.key -out domain_srv.crt
跟着documentation一起,但我仍然永远无法回复任何回复 get .
我如何正确实施 ssl_context 才能使其正常工作?!
server.py
from aiohttp import web
import msgpack
import ssl
async def handle(request):
name = request.match_info.get('name', "Anonymous")
text = "Hello, " + name
return web.Response(text=text)
app = web.Application()
app.add_routes([web.get('/', handle),
web.get('/{name}', handle)])
ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
web.run_app(app, ssl_context=ssl_context)
client.py import aiohttp import asyncio import ssl
async def main():
sslcontext = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
async with aiohttp.ClientSession() as session:
async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
html = await response.read()
print(html)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
-
在一个窗口中运行
python3 server.py -
在另一个窗口中运行
python3 client.py
然后我通常会得到类似的东西:
Traceback (most recent call last):
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 822, in _wrap_create_connection
return await self._loop.create_connection(*args, **kwargs)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 804, in create_connection
sock, protocol_factory, ssl, server_hostname)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 830, in _create_connection_transport
yield from waiter
ConnectionResetError
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "client.py", line 14, in <module>
loop.run_until_complete(main())
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 468, in run_until_complete
return future.result()
File "client.py", line 9, in main
async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 843, in __aenter__
self._resp = await self._coro
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 366, in _request
timeout=timeout
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 445, in connect
proto = await self._create_connection(req, traces, timeout)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 757, in _create_connection
req, traces, timeout)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 879, in _create_direct_connection
raise last_exc
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 862, in _create_direct_connection
req=req, client_error=client_error)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 829, in _wrap_create_connection
raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 0.0.0.0:8443 ssl:<ssl.SSLContext object at 0x7fe4800d2278> [None]
解决方案:
这是一个两部分问题,
- 我不知道我在用openssl做什么,请求库帮我解决了这个问题!
import requests
requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
SSLError: HTTPSConnectionPool(host='0.0.0.0', port=8443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '0.0.0.0' doesn't match None",),))
事实证明,当我的openssl证书真正重要时,我刚刚默认的那些行 . 一个稍微更正确(但可能仍然错误)的配置类似于
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:0.0.0.0
Email Address []:.
让我得出结果:
import requests
requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
SubjectAltNameWarning: Certificate for 0.0.0.0 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
似乎'subjectAltName'有点难以添加,需要比简单命令更多的工作,你需要遵循像this这样的指南,我会尝试它,看看是否该错误消失了 .
- 我认为我错误地使用了
ssl.Purpose.CLIENT/SERVER_AUTH,正如@Andrej提到的那样,我改变了它(如下所示)并做了一些其他修改,现在我得到了正确的答案 . 我理解ssl.Purpose但至少我现在可以使用一些东西了,希望我能及时弄清楚剩下的 .client.py
import aiohttp
import asyncio
import ssl
async def main():
sslcontext = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile='domain_srv.crt')
async with aiohttp.ClientSession() as session:
async with session.get("https://0.0.0.0:8443/JOHNYY", ssl=sslcontext) as response:
html = await response.read()
print(html)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
server.py
from aiohttp import web
import ssl
async def handle(request):
name = request.match_info.get('name', "Anonymous")
text = "Hello, " + name
return web.Response(text=text)
app = web.Application()
app.add_routes([web.get('/', handle),
web.get('/{name}', handle)])
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')
web.run_app(app, ssl_context=ssl_context)
commandline
>python3 server.py
# Switch to a new window/pane
>python3 client.py
b'Hello, JOHNYY'
1 回答
您正在创建证书,但未将其加载到SSL链 . 并将您的ssl_context创建从
ssl.Purpose.SERVER_AUTH更改为ssl.Purpose.CLIENT_AUTH:运行服务器时,客户端将在连接时打印: