python-3.x - Python3.6/3.7 中 SSL 证书验证失败
问题描述
我在 python3.6 中运行以下代码以连接到存储。
[root@controller wuwy]# python3
Python 3.6.8 (default, Jan 11 2019, 02:17:16)
[GCC 8.2.1 20180905 (Red Hat 8.2.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pywbem
>>> ip = '193.168.11.113'
>>> user = '193_160_28_29'
>>> password = '193_160_28_29'
>>> url = 'https://193.168.11.113:5989'
>>> ca_certs = '/home/ca.cer'
>>> conn = pywbem.WBEMConnection(url,(user, password),default_namespace='root/example',ca_certs=ca_certs,no_verification=False)
>>> conn.EnumerateInstances('EXAMPLE_StorageProduct')
我收到以下错误。
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1919, in EnumerateInstances
**extra)
File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1232, in _imethodcall
conn_id=self.conn_id)
File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 776, in wbem_request
client.endheaders()
File "/usr/lib64/python3.6/http/client.py", line 1234, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.6/http/client.py", line 1026, in _send_output
self.send(msg)
File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 461, in send
self.connect() # pylint: disable=no-member
File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 619, in connect
return self.sock.connect((self.host, self.port))
File "/usr/lib64/python3.6/ssl.py", line 1064, in connect
self._real_connect(addr, False)
File "/usr/lib64/python3.6/ssl.py", line 1055, in _real_connect
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1032, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
raise ValueError("check_hostname needs server_hostname "
ValueError: check_hostname needs server_hostname argument
当我在 python3.7 中运行相同的代码时,错误发生了变化。
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_operations.py", line 2494, in EnumerateInstances
**extra)
File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_operations.py", line 1763, in _imethodcall
conn_id=self.conn_id)
File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 824, in wbem_request
client.endheaders()
File "/usr/python3/lib/python3.7/http/client.py", line 1224, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/python3/lib/python3.7/http/client.py", line 1016, in _send_output
self.send(msg)
File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 483, in send
self.connect() # pylint: disable=no-member
File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 661, in connect
conn_id=conn_id)
pywbem._exceptions.ConnectionError: SSL error <class 'ssl.SSLCertVerificationError'>: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '193.168.11.113'. (_ssl.c:1045); OpenSSL version: OpenSSL 1.1.1c FIPS 28 May 2019
此代码适用于 python2.7 版本。
我检查了证书的CN和SAN,这里似乎没有问题。
那么谁能告诉我这里有什么问题?
解决方案
我今天刚刚遇到了与 Python 3.7 类似的问题,但是使用 Pika 而不是 PyWBEM,这可能会有所帮助:
似乎 Python 3.7 使用了 OpenSSL 的主机名验证算法。在我的情况下,我的客户端中使用的证书对于 IP 无效(我已经声明了服务器 ip,而不是存储客户端证书的客户端 IP)。我使用了 Pika,一个基于 (tls_example.py) 的示例: https ://pika.readthedocs.io/en/stable/examples/tls_mutual_authentication.html
我有类似的东西
context = ssl.create_default_context(
cafile="PIKA_DIR/testdata/certs/ca_certificate.pem")
context.load_cert_chain("PIKA_DIR/testdata/certs/client_certificate.pem",
"PIKA_DIR/testdata/certs/client_key.pem")
ssl_options = pika.SSLOptions(context, '192.168.122.122')
conn_params = pika.ConnectionParameters(host='192.168.122.122',
port=5671,
正如我所说,我必须替换本地主机的 pika.SSLOptions 主机,我在其中拥有客户端证书:
ssl_options = pika.SSLOptions(context, "localhost")
如果您可能有类似的问题,我会检查您的情况。这帮助我找到了解决方案:https ://bugs.python.org/issue34440
推荐阅读
- ruby-on-rails - 基于活动记录数据库查询更改类,在rails循环中使用link_to?
- sql-server - 在 SQL Server 中将 DT_DBTIMESTAMP2 类型的列映射到 datetime2 时发生强制转换规范错误的无效字符值
- mysql - 大多数共享主机上是否禁用了 LOAD DATA INFILE?
- excel - 计算单元格列中的行数
- python - 转换为 Logn Python 3.7
- java - TextSwitcher 的自动调整大小 TextView
- c++ - 用cl.exe和/link.exe构建的Vscode C++调试代码——调试器不附加
- python - 令人困惑的python产量行为
- html - 无法读取未定义 Electronjs 错误的属性“发送”
- python - 为什么 Django 模板引擎将 myapp/myview 添加到我的 URL 中?