带有 CherryPy 的 2 路 SSL

发布于 2024-10-07 11:22:07 字数 466 浏览 6 评论 0原文

从 CherryPy 3.0 及更高版本开始，只需指向服务器证书和私钥即可打开单向 SSL，如下所示：

import cherrypy

class HelloWorld(object):
    def index(self):
        return "Hello SSL World!"
    index.exposed = True

cherrypy.server.ssl_certificate = "keys/server.crt"
cherrypy.server.ssl_private_key = "keys/server.crtkey" 
cherrypy.quickstart(HelloWorld())

这使客户端能够验证服务器的真实性。有谁知道 CherryPy 是否支持 2 路 ssl，例如服务器还可以通过验证客户端证书来检查客户端的真实性？

如果是，有人可以举个例子吗？或者发布一个示例的参考？

原文

From CherryPy 3.0 and onwards, one-way SSL can be turned on simply by pointing to the server certificate and private key, like this:

import cherrypy

class HelloWorld(object):
    def index(self):
        return "Hello SSL World!"
    index.exposed = True

cherrypy.server.ssl_certificate = "keys/server.crt"
cherrypy.server.ssl_private_key = "keys/server.crtkey" 
cherrypy.quickstart(HelloWorld())

This enables clients to validate the server's authenticity. Does anyone know whether CherryPy supports 2-way ssl, e.g. where the server can also check client authenticity by validating a client certificate?

If yes, could anyone give an example how is that done? Or post a reference to an example?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

我不咬妳我踢妳 2024-10-14 11:22:07

它不是开箱即用的。您必须修补 wsgiserver 才能提供该功能。 http://www.cherrypy.org/ticket/1001< 上有一个票证（和补丁）正在处理中< /a>.

回复收藏 0 原文

浅紫色的梦幻 2024-10-14 11:22:07

我一直在寻找同样的东西。我知道 CherryPy 网站上有一些补丁。

我还在 CherryPy SSL 客户端身份验证中找到了以下内容。我还没有将其与 CherryPy 补丁进行比较，但也许这些信息会有所帮助。

我们最近需要开发一个快速
但有弹性的 REST 应用程序和
发现 CherryPy 适合我们的需求
比其他 Python 网络更好
框架，如 Twisted。
不幸的是，它的简单性缺乏
我们需要的关键功能，服务器/客户端
SSL 证书验证。所以
我们花了几个小时写了一些
快速修改当前
发布，3.1.2。下面的代码
片段是我们的修改
制作：

cherrypy/_cpserver.py

@@ -55,7 +55,6 @@ instance = None ssl_certificate = None ssl_private_key
= None
+ ssl_ca_certificate = None nodelay = True

def __init__(self):

cherrypy/wsgiserver/__init__.py

@@ -1480,6 +1480,7 @@
# Paths to certificate and private key files ssl_certificate = None ssl_private_key = None
+    ssl_ca_certificate = None

def __init__(self, bind_addr, wsgi_app, numthreads=10, server_name=None, max=-1, request_queue_size=5, timeout=10, shutdown_timeout=5):

@@ -1619,7 +1620,9 @@

self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) if self.nodelay: self.socket.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
-        if self.ssl_certificate and self.ssl_private_key:
+        if self.ssl_certificate and self.ssl_private_key and \
+            self.ssl_ca_certificate:
+ if SSL is None: raise ImportError("You must install pyOpenSSL to use HTTPS.")

@@ -1627,6 +1630,11 @@ ctx = SSL.Context(SSL.SSLv23_METHOD) ctx.use_privatekey_file(self.ssl_private_key) ctx.use_certificate_file(self.ssl_certificate)
+            x509 = crypto.load_certificate(crypto.FILETYPE_PEM,
+                open(self.ssl_ca_certificate).read())
+            store = ctx.get_cert_store()
+            store.add_cert(x509)
+            ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda *x:True) self.socket = SSLConnection(ctx, self.socket) self.populate_ssl_environ()

上述补丁需要
包含新配置
CherryPy 服务器内部的选项
配置，
server.ssl_ca_证书。这
选项标识证书
连接客户端的权限文件
将被验证，如果
客户端没有提供有效的客户端
证书它将关闭
立即连接。
我们的解决方案具有优势
缺点，主要优点
如果连接客户端没有
出示有效证书
连接立即关闭。
这有利于安全问题，因为
它不允许客户任何
访问 CherryPy 应用程序
堆。然而，由于限制
是在套接字级别完成的
CherryPy 应用程序永远看不到
客户端连接，因此
解决方案有些不灵活。
最佳解决方案将允许
客户端连接到 CherryPy
套接字并发送客户端证书
进入应用程序堆栈。然后一个
自定义 CherryPy 工具将验证
里面的证书
应用程序堆栈并关闭
必要时连接；很遗憾
由于 CherryPy 的结构
pyOpenSSL 实现是
很难找回客户
应用程序内的证书
堆栈。
当然上面的补丁应该
使用时请自行承担风险。如果你
请提出更好的解决方案
让我们知道。

I have been looking for the same thing. I know there are some patches on the CherryPy site.

I also found the following at CherryPy SSL Client Authentication. I haven't compared this vs the CherryPy patches but maybe the info will be helpful.

We recently needed to develop a quick
but resilient REST application and
found that CherryPy suited our needs
better than other Python networking
frameworks, like Twisted.
Unfortunately, its simplicity lacked a
key feature we needed, Server/Client
SSL certificate validation. Therefore
we spent a few hours writing a few
quick modifications to the current
release, 3.1.2. The following code
snippets are the modifications we
made:

cherrypy/_cpserver.py

@@ -55,7 +55,6 @@ instance = None ssl_certificate = None ssl_private_key
= None
+ ssl_ca_certificate = None nodelay = True

def __init__(self):

cherrypy/wsgiserver/__init__.py

@@ -1480,6 +1480,7 @@
# Paths to certificate and private key files ssl_certificate = None ssl_private_key = None
+    ssl_ca_certificate = None

def __init__(self, bind_addr, wsgi_app, numthreads=10, server_name=None, max=-1, request_queue_size=5, timeout=10, shutdown_timeout=5):

@@ -1619,7 +1620,9 @@

self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) if self.nodelay: self.socket.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
-        if self.ssl_certificate and self.ssl_private_key:
+        if self.ssl_certificate and self.ssl_private_key and \
+            self.ssl_ca_certificate:
+ if SSL is None: raise ImportError("You must install pyOpenSSL to use HTTPS.")

@@ -1627,6 +1630,11 @@ ctx = SSL.Context(SSL.SSLv23_METHOD) ctx.use_privatekey_file(self.ssl_private_key) ctx.use_certificate_file(self.ssl_certificate)
+            x509 = crypto.load_certificate(crypto.FILETYPE_PEM,
+                open(self.ssl_ca_certificate).read())
+            store = ctx.get_cert_store()
+            store.add_cert(x509)
+            ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda *x:True) self.socket = SSLConnection(ctx, self.socket) self.populate_ssl_environ()

The above patches require the
inclusion of a new configuration
option inside of the CherryPy server
configuration,
server.ssl_ca_certificate. This
option identifies the certificate
authority file that connecting clients
will be validated against, if the
client does not present a valid client
certificate it will close the
connection immediately.
Our solution has advantages and
disadvantages, the primary advantage
being if the connecting client doesn’t
present a valid certificate it’s
connection is immediately closed.
This is good for security concerns as
it does not permit the client any
access into the CherryPy application
stack. However, since the restriction
is done at the socket level the
CherryPy application can never see the
client connecting and hence the
solution is somewhat inflexible.
An optimal solution would allow the
client to connect to the CherryPy
socket and send the client certificate
up into the application stack. Then a
custom CherryPy Tool would validate
the certificate inside of the
application stack and close the
connection if necessary; unfortunately
because of the structure of CherryPy’s
pyOpenSSL implementation it is
difficult to retrieve the client
certificate inside of the application
stack.
Of course the patches above should
only be used at your own risk. If you
come up with a better solution please
let us know.