使用客户端证书的自定义urllib开启器
我有一个我必须使用的API。该API由HTTPS进行保护并使用相互认证/客户端证书。我有一个PEM文件和一个CRT文件。使用客户端证书的自定义urllib开启器
当我定期连接到服务器,使用PyOpenSSL我没有问题,这里是代码:
import settings
from OpenSSL import SSL
import socket
def verify(conn, cert, errnum, depth, ok):
# This obviously has to be updated
print 'Got certificate: %s' % cert.get_subject()
return ok
def password_callback(maxlen, verify, extra):
print (maxlen, verify, extra)
return settings.DEPOSIT_CODE
context = SSL.Context(SSL.SSLv23_METHOD)
context.set_verify(SSL.VERIFY_NONE, verify)
context.set_passwd_cb(password_callback)
context.use_certificate_file(settings.CLIENT_CERT_FILE)
context.use_privatekey_file(settings.PEM_FILE)
sock = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
sock.connect(("someserver.com",443))
http_get_request = """
GET/HTTP/1.1
"""
sock.write(http_get_request)
print sock.recv(1000)
但是,因为这是与客户端证书的HTTPS API,我已经实现了开门红吧,不知何故修改了代码是在这里:
import settings
import socket
import urllib2
def verify(conn, cert, errnum, depth, ok):
# This obviously has to be updated
print 'Got certificate: %s' % cert.get_subject()
return ok
def password_callback(maxlen, verify, extra):
print (maxlen, verify, extra)
return settings.DEPOSIT_CODE
class MyHTTPSConnection(httplib.HTTPSConnection):
def connect(self):
context = SSL.Context(SSL.SSLv23_METHOD)
context.set_passwd_cb(password_callback)
context.use_certificate_file(settings.CLIENT_CERT_FILE)
context.set_verify(SSL.VERIFY_NONE, verify)
context.use_privatekey_file(settings.PEM_FILE)
self.sock = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
class MyHTTPSHandler(urllib2.HTTPSHandler):
def https_open(self,req):
return self.do_open(MyHTTPSConnection,req)
opener = urllib2.build_opener(urllib2.HTTPHandler,MyCHTTPSHandler)
urllib2.install_opener(opener)
f = urllib2.urlopen("https://sampleapiserver.com")
print f.code
但是当我运行第二个代码,我得到以下错误:
File "/usr/lib/python2.6/urllib2.py", line 126, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib/python2.6/urllib2.py", line 391, in open
response = self._open(req, data)
File "/usr/lib/python2.6/urllib2.py", line 409, in _open
'_open', req)
File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
result = func(*args)
File "network.py", line 37, in https_open
return self.do_open(IRNICHTTPSConnection,req)
File "/usr/lib/python2.6/urllib2.py", line 1142, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib/python2.6/httplib.py", line 914, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.6/httplib.py", line 951, in _send_request
self.endheaders()
File "/usr/lib/python2.6/httplib.py", line 908, in endheaders
self._send_output()
File "/usr/lib/python2.6/httplib.py", line 780, in _send_output
self.send(msg)
File "/usr/lib/python2.6/httplib.py", line 759, in send
self.sock.sendall(str)
OpenSSL.SSL.Error: [('SSL routines', 'SSL_write', 'uninitialized')]
最后,我做错了什么?如果没有,请帮我理解错误...
干杯。
我不知道 - 但它看起来像你对我缺少做connect()调用的connect()方法:
self.sock.connect(("someserver.com",443))
而且httplib
的HTTPS处理有包装类SSL套接字,所以也许这些工作需要它?
是的,这正是我昨天所做的,并已修复:) – Hosane 2011-04-20 06:15:48
看起来你在这里增加了很多复杂性,你并不需要。如果你只是做简单的客户端证书验证,你也许可以从下面的代码片段脱身(source):在提供CERT-authenicated URL开启到SudsClient
的背景下使用
import httplib
import urllib2
# HTTPS Client Auth solution for urllib2, inspired by
# http://bugs.python.org/issue3466
# and improved by David Norton of Three Pillar Software. In this
# implementation, we use properties passed in rather than static module
# fields.
class HTTPSClientAuthHandler(urllib2.HTTPSHandler):
def __init__(self, key, cert):
urllib2.HTTPSHandler.__init__(self)
self.key = key
self.cert = cert
def https_open(self, req):
#Rather than pass in a reference to a connection class, we pass in
# a reference to a function which, for all intents and purposes,
# will behave as a constructor
return self.do_open(self.getConnection, req)
def getConnection(self, host):
return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert)
cert_handler = HTTPSClientAuthHandler(settings.PEMFILE, settings.CLIENT_CERT_FILE)
opener = urllib2.build_opener(cert_handler)
urllib2.install_opener(opener)
f = urllib2.urlopen("https://sampleapiserver.com")
print f.code
源构造函数,所以我将它剥离出来并使其成为直接开启者。
唯一的问题是你不能设置密码回调(Python的内置SSL支持,直到版本3.3左右才有这个功能),所以如果客户端密钥受密码保护,则无法阻止底层SSL库尝试在终端上提示用户。 – 2012-02-12 23:12:01
你能否澄清一下你说这是一个HTTP API的部分,但你想摆脱HTTP协议? – Keith 2011-04-18 11:36:37