Keine SSL-client-Zertifikat arbeiten im Tornado

Ich brauche, um client-server-zertifizierte Kommunikation im Tornado. Ich generiert die root-CA-Zertifikat, und dann verwendet, es zu unterzeichnen, server-und client-Zertifikate. Wenn ich die überprüfung dieser Zertifikate mit openssl, sieht alles gut aus (siehe unten). Aber wenn ich die gleichen Schlüssel verwenden & Zertifikate im Tornado, bekomme ich "tlsv1 alert unknown ca".

Tornado-server:

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)                                                                                                                            
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain("/home/soustruh/cert/server.cert.pem",
        "/home/soustruh/cert/server.key.pem")
context.load_verify_locations("/home/soustruh/cert/rootCA.pem")

server = tornado.httpserver.HTTPServer(application, ssl_options=context)
server.listen(6090)
tornado.ioloop.IOLoop.instance().start()

Tornado-client:

url = "https://127.0.0.1:6090/" 
request = tornado.httpclient.HTTPRequest(url = url, method = "GET", 
        client_key="/home/soustruh/cert/client.key.pem",
        client_cert="/home/soustruh/cert/client.cert.pem")
client = tornado.httpclient.AsyncHTTPClient()
param = yield client.fetch(request, self.handle_request)

Client-Fehler:

WARNING:tornado.general:SSL Error on 10 ('127.0.0.1', 6090): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
Error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

Server-Fehler:

WARNING:tornado.general:SSL Error on 9 ('127.0.0.1', 47104): [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:598)
ERROR:tornado.general:Uncaught exception
Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/tornado/http1connection.py", line 674, in _server_request_loop
    ret = yield conn.read_response(request_delegate)
  File "/usr/local/lib/python3.4/dist-packages/tornado/gen.py", line 617, in run
    value = future.result()
  File "/usr/local/lib/python3.4/dist-packages/tornado/concurrent.py", line 109, in result
    raise_exc_info(self._exc_info)
  File "<string>", line 3, in raise_exc_info
  File "/usr/local/lib/python3.4/dist-packages/tornado/gen.py", line 620, in run
    yielded = self.gen.throw(*sys.exc_info())
  File "/usr/local/lib/python3.4/dist-packages/tornado/http1connection.py", line 165, in _read_message
    io_loop=self.stream.io_loop)
  File "/usr/local/lib/python3.4/dist-packages/tornado/gen.py", line 617, in run
    value = future.result()
  File "/usr/local/lib/python3.4/dist-packages/tornado/concurrent.py", line 111, in result
    raise self._exception
  File "/usr/local/lib/python3.4/dist-packages/tornado/iostream.py", line 1167, in _do_ssl_handshake
    self.socket.do_handshake()
  File "/usr/lib/python3.4/ssl.py", line 805, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:598)

Und nur für das Protokoll, openssl Prüfung:

openssl verify -CAfile /home/soustruh/cert/rootCA.pem /home/soustruh/cert/server.cert.pem 
/home/soustruh/cert/server.cert.pem: OK
openssl verify -CAfile /home/soustruh/cert/rootCA.pem /home/soustruh/cert/client.cert.pem 
/home/soustruh/cert/client.cert.pem: OK

Wenn ich server und client mit openssl, es funktioniert auch.

Openssl server:

openssl s_server -accept 12345 -cert server.cert.pem -key server.key.pem -CAfile rootCA.pem 
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDBq9HZ1LyiuB7i+UKpwYBVwMB3H2WN6AYZjKulQcDgk
x44vTFGwRL2hcj/3b/eXU76hBgIEU/xOWaIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

Openssl-client:

openssl s_client -connect 127.0.0.1:12345 -verify 2 -cert client.cert.pem -key client.key.pem 
verify depth is 2
CONNECTED(00000003)
~
verify error:num=19:self signed certificate in certificate chain
verify return:1
~
verify return:1
~
verify return:1
---
Certificate chain
~~~
---
Server certificate
-----BEGIN CERTIFICATE-----
~~~
-----END CERTIFICATE-----
~~~
---
No client certificate CA names sent
---
SSL handshake has read 3122 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9CDDF8FC4976A85112087356F329AC32FAFCF07E198AA50565B3BE8FE8476E1C
    Session-ID-ctx: 
    Master-Key: 6AF476752F28AE07B8BE50AA70601570301DC7D9637A0186632AE950703824C78E2F4C51B044BDA1723FF76FF79753BE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a1 78 18 17 2d db 2f 32-81 31 71 50 09 c0 5a 3e   .x..-./2.1qP..Z>
    0010 - 7a de 73 a3 79 30 07 71-ab 3e 77 60 03 17 43 fe   z.s.y0.q.>w`..C.
    0020 - bd 8f 71 7a 3f 27 a0 3d-de 74 03 fe c8 3e fe b3   ..qz?'.=.t...>..
    0030 - 1e c0 c7 80 64 8f 88 e7-2c 1c a1 6a 32 f1 a9 e7   ....d...,..j2...
    0040 - 86 1e b0 a7 ad 55 3d 04-f6 9d 9f a7 75 44 3b d3   .....U=.....uD;.
    0050 - 90 1a fc 6b 41 2c 47 aa-b7 70 6c 33 35 ae 1c 54   ...kA,G..pl35..T
    0060 - b4 5b 95 9b a7 7b ed 03-73 e3 34 f1 61 6c 9a ac   .[...{..s.4.al..
    0070 - 17 c5 0d 65 23 0f da 74-0c ba cc c7 bf e1 c9 67   ...e#..t.......g
    0080 - 38 3f 70 78 e5 c5 c3 4e-2d 6b 33 47 30 76 20 00   8?px...N-k3G0v .
    0090 - 50 f6 fe dd 0a 88 c3 c0-fa 1f 26 62 f1 14 3f e8   P.........&b..?.

    Start Time: 1409044057
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
InformationsquelleAutor Soustruh | 2014-08-26
Schreibe einen Kommentar