首先生成证书吊销列表,在存放自己跟证书和被吊销证书的目录下,执行下面操作:
1 2 3 4 5 6 7 |
touch index.txt serial crlnumber echo 00 > crlnumber echo 00 > serial openssl ca -revoke Server.pem -config openssl.cnf openssl ca -gencrl -out Server.crl -config openssl.cnf |
这样就产生了一个Server.pem证书的吊销列表,名为Server.crl
曾经以为这部分只是这样,没想到却落在坑里许久:-(:曾几何时,听别人的要求修改openssl.cnf,在[ v3_ca ]项下添加了如下信息:
1 2 3 4 5 6 7 8 |
[ v3_ca ] # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign keyUsage = keyCertSign |
就是keyUsage这个参数,缺少了默认的cRLSign配置,导致自签名根证书无法验证crl,在python中总是提示类似"ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]"的信息,而在openssl中提示的信息类似这样“key usage does not include CRL signing”,一直百思不得其解,明明通过openssl验证crl文件提示都是OK的,却依旧出现这样的错误,原来都是配置惹的祸。
1 2 3 4 |
jma:~/Desktop/pyssl$ openssl crl -in Server.crl -CAfile RootCA.pem -noout verify OK |
虽然经过了些许波折,但是最终还是跳出了坑,修正之后重新生成的crl,可以在python中正常工作,如下方式设置ssl.SSLContext:
1 2 3 4 |
ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF ssl_context.load_verify_locations("Server.crl") |
这次python执行的返回结果变为下面的信息,正是希望看到的提示:
“[SSL: SSLV3_ALERT_CERTIFICATE_REVOKED] sslv3 alert certificate revoked (_ssl.c:833)”
在解决这个问题的过程中,还发现了openssl自带的一个很有用的验证证书的工具s_server和s_client,以后再也不用写python脚本了,只需要一条命令,不管是cert还是crl,都可以很方便的验证,最后成型的命令如下:
1 2 3 4 5 |
openssl s_server -accept 9999 -state -verify 1 -verify_return_error -cert Server.pem -key Server.key -CAfile RootCA.pem -CRL Client.crl -crl_check openssl s_client -connect 127.0.0.1:9999 -state -verify 1 -verify_return_error -cert Client.pem -key Client.key -CAfile RootCA.pem -CRL Server.crl -crl_check |
此处同时server和client同时添加了对端的crl,只是为了记录使用方式,随意修改就好,openssl发现证书在crl中时,会提示如下的信息:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
#Client返回 --- SSL handshake has read 2085 bytes and written 183 bytes Verification error: certificate revoked --- #Server端返回 SSL_accept:SSLv3/TLS write server done SSL3 alert read:fatal:certificate revoked SSL_accept:error in SSLv3/TLS write server done ERROR 140522782523840:error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked:../ssl/record/rec_layer_s3.c:1399:SSL alert number 44 |
本次所使用到的全部文件,都已经共享在github,地址见下:
githut-pyssl
参考内容:
openssl-s_server: s_server
openssl-s_client: s_client
openssl-verify: verify
root certificate usage: https://security.stackexchange.com/questions/49229/root-certificate-key-usage-non-self-signed-end-entity
python ssl manual: https://docs.python.org/3.7/library/ssl.html?highlight=ssl