问题
You want to implement a network service involving sockets where servers and clientsauthenticate themselves and encrypt the transmitted data using SSL.
解决方案
The ssl module provides support for adding SSL to low-level socket connections. Inparticular, the ssl.wrap_socket() function takes an existing socket and wraps an SSLlayer around it. For example, here’s an example of a simple echo server that presents aserver certificate to connecting clients:
from socket import socket, AF_INET, SOCK_STREAMimport ssl
KEYFILE = ‘server_key.pem" # Private key of the serverCERTFILE = ‘server_cert.pem" # Server certificate (given to client)
def echo_client(s):while True:
data = s.recv(8192)if data == b"‘:
break
s.send(data)
s.close()print(‘Connection closed")
def echo_server(address):
s = socket(AF_INET, SOCK_STREAM)s.bind(address)s.listen(1)
transport=VerifyCertSafeTransport(‘server_cert.pem",‘client_cert.pem",‘client_key.pem"),> allow_none=True)
讨论
Getting this recipe to work will test your system configuration skills and understandingof SSL. Perhaps the biggest challenge is simply getting the initial configuration of keys,certificates, and other matters in order.To clarify what’s required, each endpoint of an SSL connection typically has a privatekey and a signed certificate file. The certificate file contains the public key and is pre‐sented to the remote peer on each connection. For public servers, certificates are nor‐mally signed by a certificate authority such as Verisign, Equifax, or similar organization(something that costs money). To verify server certificates, clients maintain a file con‐taining the certificates of trusted certificate authorities. For example, web browsersmaintain certificates corresponding to the major certificate authorities and use them toverify the integrity of certificates presented by web servers during HTTPS connections.For the purposes of this recipe, you can create what’s known as a self-signed certificate.Here’s how you do it:
bash % openssl req -new -x509 -days 365 -nodes -out server_cert.pem -keyout server_key.pem
Generating a 1024 bit RSA private key..........................................++++++...++++++
writing new private key to ‘server_key.pem"
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.", the field will be left blank.
Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:IllinoisLocality Name (eg, city) []:ChicagoOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Dabeaz, LLCOrganizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:localhostEmail Address []:bash %
When creating the certificate, the values for the various fields are often arbitrary. How‐ever, the “Common Name” field often contains the DNS hostname of servers. If you’rejust testing things out on your own machine, use “localhost.” Otherwise, use the domainname of the machine that’s going to run the server.As a result of this configuration, you will have a server_key.pem file that contains theprivate key. It looks like this:
—–BEGIN RSA PRIVATE KEY—–MIICXQIBAAKBgQCZrCNLoEyAKF+f9UNcFaz5Osa6jf7qkbUl8si5xQrY3ZYC7juunL1dZLn/VbEFIITaUOgvBtPv1qUWTJGwga62VSG1oFE0ODIx3g2Nh4sRf+rySsx2L4442nx0z4O5vJQ7k6eRNHAZUUnCL50+YvjyLyt7ryLSjSuKhCcJsbZgPwIDAQABAoGAB5evrr7eyL4160tM5rHTeATlaLY3UBOe5Z8XN8Z6gLiB/ucSX9AysviVD/6F3oD6z2aL8jbeJc1vHqjt0dC2dwwm32vVl8mRdyoAsQpWmiqXrkvP4Bsl04VpBeHwQt8xNSW9SFhceL3LEvw9M8i9MV39viih1ILyH8OuHdvJyFECQQDLEjl2d2ppxND9PoLqVFAirDfX2JnLTdWbc+M11a9Jdn3hKF8TcxfEnFVs5Gav1MusicY5KB0ylYPbYbTvqKc7AkEAwbnRBO2VYEZsJZp2X0IZqP9ovWokkpYx+PE4+c6MySDgaMcigL7vWDIHJG1CHudD09GbqENasDzyb2HAIW4CzQJBAKDdkv+xoW6gJx42Auc2WzTcUHCAeXR/+BLpPrhKykzbvOQ8YvS5W764SUO1u1LWs3G+wnRMvrRvlMCZKgggBjkCQQCGJewto2+a+WkOKQXrNNScCDE5aPTmZQc5waCYq4UmCZQcOjkUOiN3ST1U5iuxRqfbV/yX6fw0qh+fLWtkOs/JAkA+okMSxZwqRtfgOFGBfwQ8/iKrnizeanTQ3L6scFXICHZXdJ3XQ6qUmNxNn7iJ7S/LDawo1QfWkCfD9FYoxBlg—–END RSA PRIVATE KEY—–
The server certificate in server_cert.pem looks similar:
—–BEGIN CERTIFICATE—–MIIC+DCCAmGgAwIBAgIJAPMd+vi45js3MA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEUMBIGA1UEChMLRGFiZWF6LCBMTEMxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMzAxMTExODQyMjdaFw0xNDAxMTExODQyMjdaMFwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEUMBIGA1UEChMLRGFiZWF6LCBMTEMxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmawjS6BMgChfn/VDXBWs+TrGuo3+6pG1JfLIucUK2N2WAu47rpy9XWS5/1WxBSCE2lDoLwbT79alFkyRsIGutlUhtaBRNDgyMd4NjYeLEX/q8krMdi+OONp8dM+DubyU
O5OnkTRwGVFJwi+dPmL48i8re68i0o0rioQnCbG2YD8CAwEAAaOBwTCBvjAdBgNVHQ4EFgQUrtoLHHgXiDZTr26NMmgKJLJLFtIwgY4GA1UdIwSBhjCBg4AUrtoLHHgXiDZTr26NMmgKJLJLFtKhYKReMFwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEUMBIGA1UEChMLRGFiZWF6LCBMTEMxEjAQBgNVBAMTCWxvY2FsaG9zdIIJAPMd+vi45js3MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAFci+dqvMG4xF8UTnbGVvZJPIzJDRee6Nbt6AHQo9pOdAIMAuWsGCplSOaDNdKKzl+b2UT2Zp3AIW4Qd51bouSNnR4M/gnr9ZD1ZctFd3jS+C5XRpD3vvcW5lAnCCC80P6rXy7d7hTeFu5EYKtRGXNvVNd/06NALGDflrrOwxF3Y=—–END CERTIFICATE—–
In server-related code, both the private key and certificate file will be presented to thevarious SSL-related wrapping functions. The certificate is what gets presented to clients.The private key should be protected and remains on the server.In client-related code, a special file of valid certificate authorities needs to be maintainedto verify the server’s certificate. If you have no such file, then at the very least, you canput a copy of the server’s certificate on the client machine and use that as a means forverification. During connection, the server will present its certificate, and then you’lluse the stored certificate you already have to verify that it’s correct.Servers can also elect to verify the identity of clients. To do that, clients need to havetheir own private key and certificate key. The server would also need to maintain a fileof trusted certificate authorities for verifying the client certificates.If you intend to add SSL support to a network service for real, this recipe really onlygives a small taste of how to set it up. You will definitely want to consult the documen‐tation for more of the finer points. Be prepared to spend a significant amount of timeexperimenting with it to get things to work.