开发者

Prevent OpenSSL from using system certificates?

开发者 https://www.devze.com 2023-01-21 07:13 出处:网络
How can I prevent OpenSSL (specifically, Python\'s ssl module) from using system certificate authorities?

How can I prevent OpenSSL (specifically, Python's ssl module) from using system certificate authorities?

In other words, I would like it to trust only the certificate authorities which I specify, and nothing else:

ssl_socket = ssl.wrap_socket(newsocket, server_side=True, certfile="my_cert.pem",
                 开发者_开发知识库            ca_certs=MY_TRUSTED_CAs, # <<< Only CAs specified here
                             cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1)


I've just run a few tests, and listing your selection of CAs in the ca_certs parameters is exactly what you need.

The system I've tried it on is Linux with Python 2.6. If you don't use ca_certs, it doesn't let you use cert_reqs=ssl.CERT_REQUIRED:

Traceback (most recent call last):
  File "sockettest.py", line 18, in <module>
    cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1)
  File "/usr/lib/python2.6/ssl.py", line 350, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/lib/python2.6/ssl.py", line 113, in __init__
    cert_reqs, ssl_version, ca_certs)
ssl.SSLError: _ssl.c:317: No root certificates specified for verification of other-side certificates.

I've also tried to use a client to send a certificate that's not from a CA in the ca_certs parameter, and I get ssl_error_unknown_ca_alert (as expected).

Note that either way, there's no client-certificate CA list send (in the certificate_authorities list in the CertificateRequest TLS message), but that wouldn't be required. It's only useful to help the client choose the certificate.

0

精彩评论

暂无评论...
验证码 换一张
取 消