I am writing a python socket server with ssl and I am encountering certificate unknown error during ssl handshake.
I have created private key and certificate with openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes command on my own.
This server is intended to run in intranet(under wifi) in my PC, and users will contact my PC IPaddress with their browser. Hence I have not registered this certificate with any CA. and I don't think its mandatory in my case.
Below more details..
echoserver.py
import socket
import ssl
import threading
class echoserver:
def __init__(self,i,p):
self.ip=i
self.port=p
def handler(self,c,a):
msg=c.recv(1024)
c.send(msg)
def serve(self):
echoserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
echoserver = ssl.wrap_socket(echoserver, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
echoserver.bind((self.ip, self.port))
echoserver.listen()
while True:
(c,a)=echoserver.accept()
threading.Thread(target=self.handler, args=(c,a)).start()
es=echoserver('192.168.43.124',443) #My PC's ip assigned under wifi network
es.serve()
#Connecting from mobile phone within same network as https://192.163.43.124
Error in server during ssl handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1108)
What I tried
Adding cert_reqs=ssl.CERT_NONE and ca_certs="/location/to/keys" parameters in wrap_socket function.
Doesn't seems to work. I assume these options are for client side.
Adding do_handshake_on_connect=False in wrap_socket function
In Chrome, When connected server throws same error and thread/connection closed with exception. and chrome seems to send same connection request immediately again, and the second request works flawlessly !!.
In firefox, First connection closed with same error and there is no second request.
Assigning common name in certificate same as IP address
Not working.
Checked certificate_unknown error in ietf specification here. It gives no clue except this explanation certificate_unknown: Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.
One other thing I noted is, if I use built-in ThreadedHTTPServer in the same way as below, It works beautifully, without any issues I mentioned above.
httpd = self.ThreadedHTTPServer((self.ip, self.port), self.handler)
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
I am not sure why this happens and how should I proceed with this. and not sure how built-in server modules works fine.
Appreciate any leads. Thanks.
Below Python builtin HTTPServer works fine with ssl, not showing any error. Not sure how?
import ssl
from http.server import HTTPServer, BaseHTTPRequestHandler
class requesthandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-type","text/html")
self.end_headers()
self.wfile.write("<html><body>It works</body></html>".encode('utf8'))
httpd = HTTPServer(('192.168.43.124', 443), requesthandler)
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile='keys/key.pem', certfile='keys/cert.pem', server_side=True)
httpd.serve_forever()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1108)
This means the client (browser) does not trust your certificate since it is issued by an unknown entity. If you want to use self-signed certificates you have to explicitly import these as trusted for all clients you want to use.
There is no way around this. The certificate in TLS is to make sure that the connection is done with the expected server and not some man in the middle claiming to be the expected server. If a client would trust arbitrary certificates then it would also trust certificates created by a man in the middle attacker.
Below Python builtin HTTPServer works fine with ssl, not showing any error. Not sure how?
The browser will still complain.
The only difference is that the server captures the exception and thus will not crash but continue. You can do the same in your code:
while True:
try:
(c,a)=echoserver.accept()
threading.Thread(target=self.handler, args=(c,a)).start()
except:
pass # ignore error
Related
I have an existing code in Python Autobahn which connects to a Crossbar server using WS. I want to make it work on WSS.
I have changed Crossbar, and it is working fine. I have tested it using Javascript Autobahn. However, the Python part doesn't connect to Crossbar with the change of protocol.
Although the certificate used in Crossbar server is a DigiCert certified one; but my guess is that the problem is related to the certificate. As I tried checking the certificate using this procedure;
from __future__ import print_function
import sys
from twisted.internet import defer, endpoints, protocol, ssl, task, error
def main(reactor, host, port=443):
options = ssl.optionsForClientTLS(hostname=host.decode('utf-8'))
port = int(port)
class ShowCertificate(protocol.Protocol):
def connectionMade(self):
self.transport.write(b"GET / HTTP/1.0\r\n\r\n")
self.done = defer.Deferred()
def dataReceived(self, data):
certificate = ssl.Certificate(self.transport.getPeerCertificate())
print("OK:", certificate)
self.transport.abortConnection()
def connectionLost(self, reason):
print("Lost.")
if not reason.check(error.ConnectionClosed):
print("BAD:", reason.value)
self.done.callback(None)
return endpoints.connectProtocol(
endpoints.SSL4ClientEndpoint(reactor, host, port, options),
ShowCertificate()
).addCallback(lambda protocol: protocol.done)
task.react(main, sys.argv[1:])
it fails.
('BAD:', Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],))
I have already installed the “service_identity” and “idna” packages from PyPI, as the link suggests.
I am trying to either help Twisted to verify the certificate or bypass the verification process.
Apparently, Twisted couldn't verify the certificate. So, manually injecting the key/cert files made the change:
endpoints.SSL4ClientEndpoint(reactor, host, port, ssl.DefaultOpenSSLContextFactory("key.pem", "cert.pem")),
However, if the key/cert files are not available, veritication can be simply turned off (not secure, though):
endpoints.SSL4ClientEndpoint(reactor, host, port, ssl.CertificateOptions(verify=False)),
In Python, I'm writing a simple FTP server and client that I want to secure with TLS.
For that, I use the TLS/SSL wrapper offered by Python.
My problem is that I always get the following error at the moment the client runs socket.connect :
Exception has occurred: SSLCertVerificationError [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123) File
"/work/Python/hsireportClient/hsireportClient.py", line 167, in
f_socket.connect(f_server)
This is how I start listening on the server side :
from socketserver import ThreadingTCPServer
from app.mod_report.controlersTCP import tcpRequestHandler
import ssl
...
sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
sslcontext.load_cert_chain('/work/Python/hoaReport/ssl/hoizey_net.crt','/work/Python/hoaReport/ssl/certificat.key')
f_listen = ('0.0.0.0', 6667) # TODO : Paraméter le port en base de données
f_server=ThreadingTCPServer(f_listen, tcpRequestHandler)
f_server.socket=sslcontext.wrap_socket(f_server.socket, server_side=True)
f_server.serve_forever()
and how I connect to the server on the client side :
from socket import socket, AF_INET, SOCK_STREAM, IPPROTO_TCP, TCP_NODELAY
from ssl import SSLContext, PROTOCOL_TLS_CLIENT, CERT_REQUIRED
from certifi import where as certifi_where
...
# Creates SSL Context
f_context = SSLContext(PROTOCOL_TLS_CLIENT)
f_context.verify_mode=CERT_REQUIRED
f_context.load_verify_locations(cafile=path.relpath(certifi_where()), capath=None, cadata=None)
# Opens the socket and connets to the server
f_socket=socket(AF_INET, SOCK_STREAM)
f_socket=f_context.wrap_socket(f_socket, server_hostname=f_serverHost)
f_serverPort=int(f_serverPort)
f_server=(f_serverHost, f_serverPort)
f_socket.setsockopt(IPPROTO_TCP, TCP_NODELAY, 1)
f_socket.setblocking(True)
f_socket.connect(f_server)
My server certificate has been signed by Comodo, and I checked the CA root certificate exists in the file certifi.where() points to.
Of course, everything works fine if I remove SSL wrapper.
I searched a lot about this problem, and I noticed it occurs quite frequently, but I couldn't find a solution, and I have to admit I don't understand what goes wrong.
Please, does anybody can help with this ?
Thanks a lot.
With the help of Steffen Ullrich, I manage to get my certificates orking as expected.
I just had to add all intermediary certificate in my certificate file and that did the job.
Thanks a lot for your help
This is not a duplicate for this post. I tried the solutions there and nothing works in my case.
I am using Windows and Python 3.6.5. I have a python script for a TLS client. The server I need to connect to uses a self-signed certificate. When I try to connect to it using my script, I get this error:
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)
I need to parse the certificate. I tried to add my server's certificate .pem content to file named: cacert.pem which is in: C:\Python36\Lib\site-packages\certifi and run the program again. Nothing change. Here is my scripot. Please help me to make the client make exception for this server as I trust its certificate.
import socket, ssl
import itertools
context = ssl.SSLContext()
context.verify_mode = ssl.CERT_OPTIONAL
context.check_hostname = False
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
domain="192.168.56.3" # my server
ssl_sock = context.wrap_socket(s, server_hostname=domain)
ssl_sock.connect((domain, 443))
print("====== peer's certificate ======")
try:
cert = ssl_sock.getpeercert()
print(cert)
except SSLError as e:
print("Error: ",e)
ssl_sock.close()
This question has been idle for a while, but in case somebody is still struggling with connecting to a server with a self-signed certificate via Python ssl library:
You can use the load_verify_locations method of SSLContext to specify custom self-signed root certs (see Python Docs for load_verify_locations).
The forementioned code could be extended as follows:
...
context = ssl.SSLContext()
context.verify_mode = ssl.CERT_OPTIONAL
context.check_hostname = False
context.load_verify_locations(cafile='/path/to/your/cacert.pem')
...
Be aware that you also need to include public root certs in case you want to connect to other servers with public certificates with the same client/context. (you could for example append your cacert.pem content to the certifi root certificates and reference that folder / path instead).
See also this Python docs paragraph for more information: client-side operations.
I'm implementing an IMAP proxy which securely communicates with a client.However, I have a problem when handshaking.
The code of my proxy is:
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind((host, port))
ssock, addr = self.sock.accept()
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
self.conn_client = context.wrap_socket(ssock)
And I receive the error:
ssl.SSLError: [SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:833)
The code of my tests is:
M = imaplib.IMAP4_SSL(IP_PROXY)
And I receive the error:
ssl.SSLError: [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:777)
However, when the code of the proxy is:
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind((host, port))
ssock, addr = self.sock.accept()
self.conn_client = ssl.wrap_socket(ssock, certfile=CERT, server_side= True)
It correctly works but I don't want to use certificate.
Thank you
It correctly works but I don't want to use certificate.
SSL/TLS is almost everywhere used with a certificate to make sure that the client is talking to the expected server and not to some man in the middle. If you don't want to use a certificate you need to either use a different kind of authentication (like PSK) or use no authentication at all ("anonymous authentication" - very bad idea).
In any way you would need to set the relevant ciphers to enable this alternative authentication on both client and server. This can be done with the ciphers attribute to wrap_socket on the server side and in your client code it could probably be done by constructed a SSLContext with the necessary ciphers and using the ssl_context argument to specific the context to be used in IMAP4_SSL.
But this is only for your specific Python based IMAP client. Don't expect that you will be able to configure commonly used IMAP clients like Thunderbird or Outlook to be usable with a server without certificates. And like I said, it is a bad idea in the first place.
I'm stuck with this for several days and could not figure it out still. I just want to build a simple TLS c/s communication in python. For server I use EC2, client I use my own laptop. I setup and test normal socket communication and everything works fine.
When I try this tutorial from the official doc, I run into problem. For the following client code:
# require a certificate from the server
ssl_sock = ssl.wrap_socket(s,
ca_certs="/etc/ca_certs_file",
cert_reqs=ssl.CERT_REQUIRED)
As far as I know the part /etc/ca_certs_file should be some certificates from CAs. I am confused where should I look for them. I actually find some .pem files in /etc/ssl/certs on EC2 server but nothing on the client, my laptop.
I also tried to generate a user certificate according to this tutorial on openssl, I followed the steps, generating cakey.pem, cacert.pem for the server, userkey.pem, usercert-req.pem for the client, all in a same directory in my EC2 server. When I execute openssl ca -in usercert-req.pem -out usercert.pem, it outputs error:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
unable to load certificate
140420412405408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
So actually how should this cert file get generated? Generate at server side, then wait for client to request them over the air, or generate at client side, or obtain from 3rd party and directly use on client side?
Could anyone give any guidance? Any help is appreciated.
This will create a self signed certificate pair, the private key will be in the same file:
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
And then from python on the server side:
new_client_socket, address = server_socket.accept()
secured_client_socket = ssl.wrap_socket(new_client_socket,
server_side=True,
certfile='cert.pem',
keyfile='cert.pem',
ssl_version=ssl.PROTOCOL_TLSv1)
And the client application:
unsecured_client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket = ssl.wrap_socket(unsecured_client_socket,
ca_certs='cert.pem',
cert_reqs=ssl.CERT_REQUIRED,
ssl_version=ssl.PROTOCOL_TLSv1)