在 Python 中打开 SSL 套接字连接
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26851034/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Opening a SSL socket connection in Python
提问by Raffi
I'm trying to establish a secure socket connection in Python, and i'm having a hard time with the SSL bit of it. I've found some code examples of how to establish a connection with SSL, but they all involve key files. The server i'm trying to connect with doesn't need to receive any keys or certificates. My question is how do I essentially wrap a python socket connection with SSL. I know for a fact that the cipher i'm suppose to use is ADH-AES256-SHA, and the protocol is TLSv1. This is what i've been trying:
我正在尝试在 Python 中建立一个安全的套接字连接,但我很难使用它的 SSL 位。我找到了一些关于如何与 SSL 建立连接的代码示例,但它们都涉及密钥文件。我尝试连接的服务器不需要接收任何密钥或证书。我的问题是我如何本质上用 SSL 包装 python 套接字连接。我知道我假设使用的密码是ADH-AES256-SHA,协议是TLSv1. 这是我一直在尝试的:
import socket
import ssl
# SET VARIABLES
packet, reply = "<packet>SOME_DATA</packet>", ""
HOST, PORT = 'XX.XX.XX.XX', 4434
# CREATE SOCKET
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
# WRAP SOCKET ???
ssl.wrap_socket(sock, ssl_version="TLSv1", ciphers="ADH-AES256-SHA")
# CONNECT AND PRINT REPLY
sock.connect((HOST, PORT))
sock.send(packet)
print sock.recv(1280)
# CLOSE SOCKET CONNECTION
sock.close()
When I run this code, I don't get any errors, but I get a blank response. When trying to debug this code in the command line, by typing in pythonin the terminal and pasting in code line by line, I get what i'm assuming is a status code when running sock.send(packet). The integer response I get is 26. If anyone knows what this means, or can help in anyway it would be greatly appreciated. Thanks in advance!
当我运行此代码时,我没有收到任何错误,但收到空白响应。当尝试在命令行中调试此代码时,通过在python终端中键入并逐行粘贴代码,我得到了我假设运行时的状态代码sock.send(packet)。我得到的整数响应是26. 如果有人知道这意味着什么,或者可以提供帮助,我们将不胜感激。提前致谢!
采纳答案by Raffi
Ok, I figured out what was wrong. It was kind of foolish of me. I had twoproblems with my code. My first mistake was when specifying the ssl_versionI put in TLSv1when it should have been ssl.PROTOCOL_TLSv1. The second mistake was that I wasn't referencing the wrapped socket, instead I was calling the original socket that I have created. The below code seemed to work for me.
好的,我知道出了什么问题。这对我来说有点愚蠢。two我的代码有问题。我的第一个错误是指定了ssl_version我TLSv1应该在什么时候放入的ssl.PROTOCOL_TLSv1. 第二个错误是我没有引用包装好的套接字,而是调用了我创建的原始套接字。下面的代码似乎对我有用。
import socket
import ssl
# SET VARIABLES
packet, reply = "<packet>SOME_DATA</packet>", ""
HOST, PORT = 'XX.XX.XX.XX', 4434
# CREATE SOCKET
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
# WRAP SOCKET
wrappedSocket = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ADH-AES256-SHA")
# CONNECT AND PRINT REPLY
wrappedSocket.connect((HOST, PORT))
wrappedSocket.send(packet)
print wrappedSocket.recv(1280)
# CLOSE SOCKET CONNECTION
wrappedSocket.close()
Hope this can help somebody!
希望这可以帮助某人!
回答by Bryant Bernstein
There is a lot of fun to be had solving these problems but for me, I found that the underlying infrastructure for python ssl is openssl. Try validating your certificates with openssl and do this before you try to get python to use that same stack.
解决这些问题有很多乐趣,但对我来说,我发现 python ssl 的底层基础设施是 openssl。尝试使用 openssl 验证您的证书,并在尝试让 python 使用相同的堆栈之前执行此操作。
I needed to import a root certificate into openssl before I could validate the leaf certificate.
在验证叶证书之前,我需要将根证书导入 openssl。
This was helpful.
http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl
这很有帮助。
http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl
Another interesting thing was that two different build of the same version of python on different hosts had different methods. One had ssl.get_default_verify_paths()and the other didn't had any at all. The lesson here is that python ssl is built on openssl. Different underlying libraries give you a different python.
另一个有趣的事情是,在不同主机上,相同版本的 python 的两个不同构建有不同的方法。一个有ssl.get_default_verify_paths(),另一个根本没有。这里的教训是 python ssl 建立在openssl之上。不同的底层库给你不同的python。
Python SSL is built on openssl so solve certificate issues in openssl first.
Python SSL 建立在 openssl 之上,所以首先解决 openssl 中的证书问题。
回答by Kurt Roeckx
You shouldn't be setting PROTOCOL_TLSv1(or TLSv1). This restricts the connection to TLSv1.0 only. Instead you want PROTOCOL_TLS(or the deprecated PROTOCOL_SSLv23) that supports all versions supported by the library.
你不应该设置PROTOCOL_TLSv1(或TLSv1)。这将连接限制为TLS仅 v1.0。相反,您想要PROTOCOL_TLS(或已弃用的PROTOCOL_SSLv23)支持库支持的所有版本。
You're using an anonymous cipher, because for some reason you think you don't need a certificate or key. This means that there is no authentication of the server and that you're vulnerable to a man in the middle attack. Unless you really know what you're doing, I suggest you don't use anonymous ciphers (like ADH-AES256-SHA).
您正在使用匿名密码,因为出于某种原因,您认为您不需要证书或密钥。这意味着没有服务器身份验证,并且您很容易受到中间人攻击。除非您真的知道自己在做什么,否则我建议您不要使用匿名密码(例如ADH-AES256-SHA)。
