【问题标题】:Gunicorn Two-way SSL Error "SSL_ERROR_UNKNOWN_CA_ALERT"Gunicorn 双向 SSL 错误“SSL_ERROR_UNKNOWN_CA_ALERT”
【发布时间】:2018-12-11 18:35:46
【问题描述】:

我正在通过Gunicorn 运行一个配置了双向 SSL 的 Python3 应用程序。这需要本地证书/密钥来验证应用程序以及 ca_certs 文件来验证客户端。 Gunicorn 依赖于 Python 中的标准 ssl 模块,尤其是 wrap_socket 方法。

当我使用自签名证书进行服务器和客户端身份验证时,服务启动并响应 curl 请求正常。但是,当我使用由另一个 CA 签名的证书时,我收到错误 SSL_ERROR_UNKNOWN_CA_ALERT

具有自签名证书的工作设置:

# Server cert
openssl req \
       -newkey rsa:2048 -nodes -keyout domain.key \
       -x509 -days 365 -out domain.crt

# Client (CA) cert    
openssl req \
       -newkey rsa:2048 -nodes -keyout twoway.key \
       -x509 -days 365 -out twoway.crt

使用 Gunicorn 配置如下:

keyfile = domain.key
certfile = domain.crt
cert_reqs = ssl.CERT_REQUIRED
ca_certs=twoway.crt

卷曲如下:

curl -vk --key twoway.key --cert twoway.crt https://my.service

产生一个成功的响应:

*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Dec  7 18:35:54 2018 GMT
*  expire date: Dec  7 18:35:54 2019 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /manage/info HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: gunicorn/19.9.0
< Date: Tue, 11 Dec 2018 18:26:19 GMT
< Connection: keep-alive
< Content-Type: application/json
< Content-Length: 73

设置失败,具有不同系列的证书:

使用 Gunicorn 配置如下:

keyfile = my_service_key.key
certfile = my_service_cert.crt
cert_reqs = ssl.CERT_REQUIRED
ca_certs = my_trusted_clients.crt

卷曲如下:

curl -vk --key my_trusted_key.key --cert my_trusted_clients.crt https://my.service

产生错误:

About to connect() to localhost port 5000 (#0)
Initializing NSS with certpath: sql/etc/pki/nssdb
warning: ignoring value of ssl.verifyhost
skipping SSL peer certificate verification
NSS: client certificate from file
    subject: CN=mycn,OU=abc,O=def,...
NSS error -12195
Closing connection #0
SSL connect error
curl: (35) SSL connect error

对我是否以错误的方式进行配置有任何想法吗?为什么自签名证书有效而其他证书无效?

请注意,此配置以前在使用 Stunnel 时有效,我将 verify 级别设置为 4(“忽略链并仅验证对等证书。”)。如果 Python 中有类似的东西,我相信这会让我朝着正确的方向前进。

【问题讨论】:

    标签: python ssl gunicorn


    【解决方案1】:

    我认为从 Gunicorn 19.9 开始这是不可能的。

    除了在服务器上拥有完整的证书链,为了验证客户端/对等证书,我相信您需要能够configure the SSLContext,尤其是能够在服务器中设置ssl.CERT_REQUIRED -模式。

    Gunicorn 19.9(和撰写本文时的主版本)当前没有在连接上使用基于 SSLContext 的包装器,因此这是不可能的,请参阅 https://github.com/benoitc/gunicorn/issues/1140

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2012-05-30
      • 1970-01-01
      • 1970-01-01
      • 2017-05-11
      • 1970-01-01
      • 2017-03-28
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多