我正在尝试了解如何保护数据在通过服务器和工作人员之间的开放网络传输后不被更改
在我的脑海里,我在想它应该遵循这样的东西:
|server|---send_job----->|worker|
| |<--send_results--| |
| | | |
| |-send_kill_req-->| |
显然,我不希望有人更改我的 send_job 来做一些邪恶的事情,我也不希望有人偷看我的结果。
所以我有一个 super 简单的 aiohttp 客户端/服务器设置,我试图在其中实现 ssl 但我完全迷路了。
下面是我尝试过的最基本的东西,但我也尝试通过以下方式实现我自己的 ssl 证书:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout domain_srv.key -out domain_srv.crt
连同 documentation但我仍然无法得到任何回应。
我该如何正确实现 ssl_context 才能使其正常工作?!
server.py
from aiohttp import web
import msgpack
import ssl
async def handle(request):
name = request.match_info.get('name', "Anonymous")
text = "Hello, " + name
return web.Response(text=text)
app = web.Application()
app.add_routes([web.get('/', handle),
web.get('/{name}', handle)])
ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
web.run_app(app, ssl_context=ssl_context)
客户端.py
导入 aiohttp
导入异步
导入 ssl
async def main():
sslcontext = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
async with aiohttp.ClientSession() as session:
async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
html = await response.read()
print(html)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
python3 server.pypython3 client.py然后我通常会得到类似这样的结果:
Traceback (most recent call last):
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 822, in _wrap_create_connection
return await self._loop.create_connection(*args, **kwargs)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 804, in create_connection
sock, protocol_factory, ssl, server_hostname)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 830, in _create_connection_transport
yield from waiter
ConnectionResetError
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "client.py", line 14, in <module>
loop.run_until_complete(main())
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/asyncio/base_events.py", line 468, in run_until_complete
return future.result()
File "client.py", line 9, in main
async with session.get("https://0.0.0.0:8443", ssl=sslcontext) as response:
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 843, in __aenter__
self._resp = await self._coro
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/client.py", line 366, in _request
timeout=timeout
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 445, in connect
proto = await self._create_connection(req, traces, timeout)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 757, in _create_connection
req, traces, timeout)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 879, in _create_direct_connection
raise last_exc
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 862, in _create_direct_connection
req=req, client_error=client_error)
File "/home/mEE/miniconda3/envs/py3/lib/python3.6/site-packages/aiohttp/connector.py", line 829, in _wrap_create_connection
raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 0.0.0.0:8443 ssl:<ssl.SSLContext object at 0x7fe4800d2278> [None]
这是一个两部分的问题,
我不知道我在用 openssl 做什么,requests 库帮助我解决了这个问题!
import requests
requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
SSLError: HTTPSConnectionPool(host='0.0.0.0', port=8443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '0.0.0.0' doesn't match None",),))
事实证明,我在制作 openssl 证书时默认设置的那些行实际上很重要。一个稍微更正确(但可能仍然错误)的配置类似于
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:0.0.0.0
Email Address []:.
让我得到了结果:
import requests
requests.get("https://0.0.0.0:8443", verify="domain_srv.crt")
SubjectAltNameWarning: Certificate for 0.0.0.0 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
'subjectAltName' 似乎有点难以添加,需要比简单命令更多的工作,您需要遵循像 this 这样的指南。 ,我会尝试一下,看看该错误是否会消失。
我想我错误地使用了 ssl.Purpose.CLIENT/SERVER_AUTH,正如@Andrej 提到的那样,我将其调换(如下所示)并进行了一些其他更改,然后现在我得到了正确的回应。我只想说,我肯定还是不明白 ssl.Purpose 但至少我现在有一些可以使用的东西,希望我能及时弄清楚剩下的。
client.py
import aiohttp
import asyncio
import ssl
async def main():
sslcontext = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile='domain_srv.crt')
async with aiohttp.ClientSession() as session:
async with session.get("https://0.0.0.0:8443/JOHNYY", ssl=sslcontext) as response:
html = await response.read()
print(html)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
server.py
from aiohttp import web
import ssl
async def handle(request):
name = request.match_info.get('name', "Anonymous")
text = "Hello, " + name
return web.Response(text=text)
app = web.Application()
app.add_routes([web.get('/', handle),
web.get('/{name}', handle)])
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')
web.run_app(app, ssl_context=ssl_context)
命令行
>python3 server.py
# Switch to a new window/pane
>python3 client.py
b'Hello, JOHNYY'
编辑: 我只想为正在处理此类问题的任何人发布更新。我认为使用 python 加密库是生成 crt/ key 文件的更好方法,因此如果您有兴趣,请随意使用/修改此模板(我不保证这些是最佳实践):
#!/usr/bin/env python
"""
stuff for network security
"""
import socket
import datetime
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import attr
@attr.s(auto_attribs=True)
class Netsec:
hostname: str = attr.Factory(socket.gethostname)
out_file_name: str = "domain_srv"
def generate_netsec(self):
# GENERATE KEY
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
with open(f"{self.out_file_name}.key", "wb") as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Wala Wala"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"A place"),
x509.NameAttribute(NameOID.COMMON_NAME, self.hostname),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
# Our certificate will be valid for 5 years
datetime.datetime.utcnow() + datetime.timedelta(days=365*5)
).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(u"localhost"),
x509.DNSName(self.hostname),
x509.DNSName(u"127.0.0.1")]),
critical=False,
# Sign our certificate with our private key
).sign(key, hashes.SHA256(), default_backend())
with open(f"{self.out_file_name}.crt", "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
最佳答案
您正在创建证书,但没有将它们加载到 SSL 链中。并将您的 ssl_context 创建从 ssl.Purpose.SERVER_AUTH 更改为 ssl.Purpose.CLIENT_AUTH:
from aiohttp import web
import ssl
async def handle(request):
name = request.match_info.get('name', "Anonymous")
text = "Hello, " + name
return web.Response(text=text)
app = web.Application()
app.add_routes([web.get('/', handle),
web.get('/{name}', handle)])
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain('domain_srv.crt', 'domain_srv.key')
web.run_app(app, ssl_context=ssl_context)
当您运行服务器时,客户端将在连接时打印:
b'Hello, Anonymous'
关于python - 如何设置 aiohttp https 服务器和客户端?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51645324/
我正在学习如何使用Nokogiri,根据这段代码我遇到了一些问题:require'rubygems'require'mechanize'post_agent=WWW::Mechanize.newpost_page=post_agent.get('http://www.vbulletin.org/forum/showthread.php?t=230708')puts"\nabsolutepathwithtbodygivesnil"putspost_page.parser.xpath('/html/body/div/div/div/div/div/table/tbody/tr/td/div
总的来说,我对ruby还比较陌生,我正在为我正在创建的对象编写一些rspec测试用例。许多测试用例都非常基础,我只是想确保正确填充和返回值。我想知道是否有办法使用循环结构来执行此操作。不必为我要测试的每个方法都设置一个assertEquals。例如:describeitem,"TestingtheItem"doit"willhaveanullvaluetostart"doitem=Item.new#HereIcoulddotheitem.name.shouldbe_nil#thenIcoulddoitem.category.shouldbe_nilendend但我想要一些方法来使用
我有一个Ruby程序,它使用rubyzip压缩XML文件的目录树。gem。我的问题是文件开始变得很重,我想提高压缩级别,因为压缩时间不是问题。我在rubyzipdocumentation中找不到一种为创建的ZIP文件指定压缩级别的方法。有人知道如何更改此设置吗?是否有另一个允许指定压缩级别的Ruby库? 最佳答案 这是我通过查看rubyzip内部创建的代码。level=Zlib::BEST_COMPRESSIONZip::ZipOutputStream.open(zip_file)do|zip|Dir.glob("**/*")d
我正在尝试使用ruby和Savon来使用网络服务。测试服务为http://www.webservicex.net/WS/WSDetails.aspx?WSID=9&CATID=2require'rubygems'require'savon'client=Savon::Client.new"http://www.webservicex.net/stockquote.asmx?WSDL"client.get_quotedo|soap|soap.body={:symbol=>"AAPL"}end返回SOAP异常。检查soap信封,在我看来soap请求没有正确的命名空间。任何人都可以建议我
关闭。这个问题是opinion-based.它目前不接受答案。想要改进这个问题?更新问题,以便editingthispost可以用事实和引用来回答它.关闭4年前。Improvethisquestion我想在固定时间创建一系列低音和高音调的哔哔声。例如:在150毫秒时发出高音调的蜂鸣声在151毫秒时发出低音调的蜂鸣声200毫秒时发出低音调的蜂鸣声250毫秒的高音调蜂鸣声有没有办法在Ruby或Python中做到这一点?我真的不在乎输出编码是什么(.wav、.mp3、.ogg等等),但我确实想创建一个输出文件。
给定这段代码defcreate@upgrades=User.update_all(["role=?","upgraded"],:id=>params[:upgrade])redirect_toadmin_upgrades_path,:notice=>"Successfullyupgradeduser."end我如何在该操作中实际验证它们是否已保存或未重定向到适当的页面和消息? 最佳答案 在Rails3中,update_all不返回任何有意义的信息,除了已更新的记录数(这可能取决于您的DBMS是否返回该信息)。http://ar.ru
我在使用omniauth/openid时遇到了一些麻烦。在尝试进行身份验证时,我在日志中发现了这一点:OpenID::FetchingError:Errorfetchinghttps://www.google.com/accounts/o8/.well-known/host-meta?hd=profiles.google.com%2Fmy_username:undefinedmethod`io'fornil:NilClass重要的是undefinedmethodio'fornil:NilClass来自openid/fetchers.rb,在下面的代码片段中:moduleNetclass
我在我的项目目录中完成了compasscreate.和compassinitrails。几个问题:我已将我的.sass文件放在public/stylesheets中。这是放置它们的正确位置吗?当我运行compasswatch时,它不会自动编译这些.sass文件。我必须手动指定文件:compasswatchpublic/stylesheets/myfile.sass等。如何让它自动运行?文件ie.css、print.css和screen.css已放在stylesheets/compiled。如何在编译后不让它们重新出现的情况下删除它们?我自己编译的.sass文件编译成compiled/t
我想安装一个带有一些身份验证的私有(private)Rubygem服务器。我希望能够使用公共(public)Ubuntu服务器托管内部gem。我读到了http://docs.rubygems.org/read/chapter/18.但是那个没有身份验证-如我所见。然后我读到了https://github.com/cwninja/geminabox.但是当我使用基本身份验证(他们在他们的Wiki中有)时,它会提示从我的服务器获取源。所以。如何制作带有身份验证的私有(private)Rubygem服务器?这是不可能的吗?谢谢。编辑:Geminabox问题。我尝试“捆绑”以安装新的gem..
我正在寻找执行以下操作的正确语法(在Perl、Shell或Ruby中):#variabletoaccessthedatalinesappendedasafileEND_OF_SCRIPT_MARKERrawdatastartshereanditcontinues. 最佳答案 Perl用__DATA__做这个:#!/usr/bin/perlusestrict;usewarnings;while(){print;}__DATA__Texttoprintgoeshere 关于ruby-如何将脚