我在与pyOpenssl服务器进行TLS 1.3协商时遇到了麻烦。我使用openssl s_client(受支持的1.3)连接到服务器没有运气。但是,该服务器可使用TLS 1.2及更低版本。你能帮我什么我想念吗?预先感谢!
tls_server.py
-------------
import socket
from OpenSSL import SSL
sslctx = SSL.Context(SSL.TLSv1_2_METHOD)
sslctx.set_options(SSL.OP_NO_TLSv1_2 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1)
sslctx.set_cipher_list(b"TLS_AES_128_GCM_SHA256:AES128-GCM-SHA256")
sslctx.use_privatekey_file("key.pem")
sslctx.use_certificate_file("cert.pem")
bindsocket = socket.socket()
bindsocket.bind(('', 4433))
bindsocket.listen(5)
while True:
newsocket, fromaddr = bindsocket.accept()
sslconn = SSL.Connection(sslctx, newsocket)
sslconn.set_accept_state()
sslconn.do_handshake()
print(f"List of ciphers: {sslconn.get_cipher_list()}")
req = sslconn.read(4096)
print(req)
sslconn.write(b"HTTP/1.1 200 OK\r\nServer: my-special\r\nContent-length: 10\r\n\r\nHello!\r\n\r\n")
sslconn.set_shutdown(SSL.SENT_SHUTDOWN)
当我强制客户端仅连接tls1.3时,我得到的是以下错误
$ openssl version
OpenSSL 1.1.1d 10 Sep 2019
$ openssl s_client -connect localhost:4433 -tls1_3
4641068480:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
并且服务器返回跟踪:
$ python3.8 tls_server.py
Traceback (most recent call last):
File "tls_server.py", line 18, in <module>
sobj.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
_raise_current_error()
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_post_process_client_hello', 'no shared cipher')]
$
通过成功的TLS 1.2连接,我看到服务器返回以下密码,以确认对TLS 1.3的支持。
$ python3.8 tls_server.py
List of ciphers: ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_128_GCM_SHA256', 'AES128-GCM-SHA256']
b'GET /\n'
我正在使用的工具的版本
$ python3.8 -m OpenSSL.debug
pyOpenSSL: 19.1.0
cryptography: 2.9.2
cffi: 1.13.2
cryptography's compiled against OpenSSL: OpenSSL 1.1.1g 21 Apr 2020
cryptography's linked OpenSSL: OpenSSL 1.1.1g 21 Apr 2020
Pythons's OpenSSL: OpenSSL 1.1.1d 10 Sep 2019
Python executable: /Library/Frameworks/Python.framework/Versions/3.8/bin/python3.8
Python version: 3.8.1 (v3.8.1:1b293b6006, Dec 18 2019, 14:08:53)
[Clang 6.0 (clang-600.0.57)]
Platform: darwin
我不确定此配置:
sslctx = SSL.Context(SSL.TLSv1_2_METHOD) sslctx.set_options(SSL.OP_NO_TLSv1_2 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1)
您不是说只使用TLSv1.2,然后也不使用TLSv1-TLSv1.2?
现在没有SSL.TLSv1_3_METHOD选项和you’re supposed to use SSL.TLS_METHOD,但看起来像SSL.TLS_METHOD。
似乎有that is not exposed to pyopenssl yet关于如何更好地进行配置,但仍然没有添加(currently) open issue。