使用 Python、Ruby 或 Perl 连接到 .NET Sslstream x.509 套接字
我有一个奇怪的要求。我正在尝试与用 C# 编写的服务器进行通信。基本上看起来像这样:
SslStream sslStream = new SslStream(client.GetStream(), true,
ValidateServerCertificate,
SelectLocalCertificate);
sslStream.AuthenticateAsServer(_pushCert);
我还有 C# 示例代码,它使用 X509 证书并连接到服务器。我也有 cert.pfx 文件的密码。
我想做的是设置某种可以连接到套接字、传输几个字节并接收响应的 shell 脚本。 (实际上是任何语言,尽管我正在研究 Python、Ruby 或 Perl)
我尝试使用 Python 中的 SSL 包装器,但我收到一条错误消息,指出它们没有已知的服务器/客户端通信算法。
我的 Python 代码示例:
ss = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s = ssl.wrap_socket(ss, ca_certs=CERT, ssl_version=ssl.PROTOCOL_SSLv23 )
#Attempt connection to our server
try:
s.connect((HOST, PORT))
print s
except:
print 'ERROR Connecting'
sys.exit(0)
对于 CERT,我尝试了一些不同的文件:.pfx,以及使用 openssl 从 .pfx 中提取的一些文件。
我也尝试了许多不同的示例(ssl.wrap_socket 的参数)。我也不太熟悉这些联系。
也许这里有人可以帮忙?
谢谢!
I have a weird requirement. I am trying to communicate with a server written in C#. It looks like this basically:
SslStream sslStream = new SslStream(client.GetStream(), true,
ValidateServerCertificate,
SelectLocalCertificate);
sslStream.AuthenticateAsServer(_pushCert);
I also have example code in C# that uses a X509 certificate and connects to the server. I have the password for the cert.pfx file as well.
What I would like to do is setup some kind of shell script that can connect to the socket, transmit a few bytes and receive the response. (any language really, although I was looking at Python or Ruby or Perl)
I tried using the SSL wrapper from Python, but I get an error stating their is no known algorithm for the server/client to talk.
Example of my Python code:
ss = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s = ssl.wrap_socket(ss, ca_certs=CERT, ssl_version=ssl.PROTOCOL_SSLv23 )
#Attempt connection to our server
try:
s.connect((HOST, PORT))
print s
except:
print 'ERROR Connecting'
sys.exit(0)
For CERT I tried a few different filee: the .pfx, and some extracted from the .pfx using openssl.
I tried many different examples as well (Arguments for the ssl.wrap_socket). I am not really familiar with these connections either.
Perhaps someone here could lend a hand?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以简化 SslStream 构造函数调用:
此服务器发送 _pushCert 并且不期望客户端发回证书。服务器需要证书的私钥才能建立 SSL 连接。
客户端只需要签署服务器证书的 CA 根证书(或者接受不可信证书的选项)。该证书需要位于“受信任的根证书存储”中,或者以其他方式标识为对客户端包装程序可信。
如果服务器证书由中间 CA 证书签名,而中间 CA 证书本身又由根 CA 证书签名,则客户端也需要该中间证书。它可以由服务器发送,也可以已经在客户端。无论哪种方式,整个签名证书链都必须掌握在客户端手中,以验证链上的所有签名。中间 CA 证书不需要位于受信任的根存储中。
双方都不需要 CA 根或中间签名证书的私钥。
但是,如果您的服务器希望客户端发送客户端证书,那么您必须使用更多参数调用 AuthenticateAsServer (clientCertificateRequired == true)。在这种情况下,客户端需要自己的证书和其证书的私钥。服务器需要 CA 根在其受信任存储中签署客户端证书。例如,客户端包装器将采用 pfx 文件,其中包含客户端证书和私钥。服务器不需要客户端的私钥。
You can simplify your SslStream constructor call:
This server sends _pushCert and does not expect the client to send a certificate back. The server needs the private key for the certificate to make the SSL connection.
The client only needs the CA root certificate that signed the server certificate (or, an option to accept an untrusted certificate.) This needs to be in the "trusted root certificate store" or otherwise identified as trusted to the client wrapper.
If the server certificate is signed by an intermediate CA certificate that is itself signed by the root CA certificate, the client needs that intermediate certificate too. That can be sent by the server, or can already be at the client. Either way, the entire chain of signing certificates has to be in hand at the client to verify all of the signatures along the chain. The intermediate CA certificate does not need to be in the trusted root store.
Neither side needs a private key for the CA root, or for an intermediate signing certificate.
However, if your server expects the client to send a client certificate, then you have to call AuthenticateAsServer with more arguments (clientCertificateRequired == true). In that case, the client needs both its own certificate and the private key for its certificate. The server needs the CA root that signs the client certificate in its trusted store. The client wrapper will take a pfx file, for example, containing the client certificate and private key. The server does not need the client's private key.