“SSLError: [SSL] PEM lib (_ssl.c:2532)”是什么意思使用 Python ssl 库?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/30109449/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What does "SSLError: [SSL] PEM lib (_ssl.c:2532)" mean using the Python ssl library?
提问by sargas
I am trying to use connect to another party using Python 3 asyncio module and get this error:
我正在尝试使用 Python 3 asyncio 模块连接到另一方并收到此错误:
36 sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
---> 37 sslcontext.load_cert_chain(cert, keyfile=ca_cert)
38
SSLError: [SSL] PEM lib (_ssl.c:2532)
The question is just what the error mean. My certificate is correct, the keyfile (CA certificate) might not.
问题只是错误的含义。我的证书是正确的,密钥文件(CA 证书)可能不正确。
采纳答案by jmunsch
Assuming that version 3.6 is being used:
假设正在使用 3.6 版:
See: https://github.com/python/cpython/blob/3.6/Modules/_ssl.c#L3523-L3534
参见:https: //github.com/python/cpython/blob/3.6/Modules/_ssl.c#L3523-L3534
PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
r = SSL_CTX_check_private_key(self->ctx);
PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
if (r != 1) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
goto error;
}
What it is saying is that SSL_CTX_check_private_keyfailed; thus, the private key is not correct.
它说的是SSL_CTX_check_private_key失败了;因此,私钥不正确。
Reference to the likely version:
参考可能的版本:
回答by larsks
In your code, you are calling:
在您的代码中,您正在调用:
sslcontext.load_cert_chain(cert, keyfile=ca_cert)
From the documentation:
从文档:
Load a private key and the corresponding certificate. The certfile string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate's authenticity. The keyfile string, if present, must point to a file containing the private key in. Otherwise the private key will be taken from certfile as well. See the discussion of Certificates for more information on how the certificate is stored in the certfile.
加载私钥和相应的证书。certfile 字符串必须是 PEM 格式的单个文件的路径,该文件包含证书以及建立证书真实性所需的任意数量的 CA 证书。密钥文件字符串(如果存在)必须指向包含私钥的文件。否则,私钥也会从 certfile 中获取。有关证书如何存储在 certfile 中的更多信息,请参阅证书的讨论。
Based on the name of the arguments in your example, it looks like you are passing a CA certificate to the keyfileargument. That is incorrect, you need to pass in the private key that was used to generate your local certificate (otherwise the client cannot use your certificate). A private key file will look something like:
根据示例中参数的名称,您似乎正在将 CA 证书传递给keyfile参数。这是不正确的,您需要传入用于生成本地证书的私钥(否则客户端无法使用您的证书)。私钥文件将类似于:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,9BA4973008F0A0B36FBE1426C198DD1B
...data...
-----END RSA PRIVATE KEY-----
You only need the CA certificate if you are trying to verify the validity of SSL certificates that have been signed by this certificate. In that case, you would probably use SSLContext.load_verify_locations()to load the CA certificate (although I have not worked with the SSL module recently, so don't take my word on that point).
如果您尝试验证已由该证书签名的 SSL 证书的有效性,则仅需要 CA 证书。在这种情况下,您可能会使用SSLContext.load_verify_locations()加载 CA 证书(尽管我最近没有使用 SSL 模块,所以不要相信我的话)。
