A, modules,

Xx /pythonxx/Lib/ssl.py This module provides client and server side network sockets with access to transport layer security (commonly known as “secure Socket layer”) encryption and peer authentication capabilities. This module uses the OpenSSL library. As long as OpenSSL is installed on this platform, it can be used on all modern Unix systems, Windows, Mac OS X, and other platforms.

Second, the interface

Such a class is provided

class SSLSocket(socket):
    """This class implements a subtype of socket.socket that wraps
    the underlying OS socket in an SSL context when necessary, and
    provides read and write methods over that channel."""

    def __init__(self, sock=None, keyfile=None, certfile=None,
                 server_side=False, cert_reqs=CERT_NONE,
                 ssl_version=PROTOCOL_TLS, ca_certs=None,
                 do_handshake_on_connect=True,
                 family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
                 suppress_ragged_eofs=True, npn_protocols=None, ciphers=None,
                 server_hostname=None,
                 _context=None):
Copy the code

Three, one-way authentication

One-way authentication process: 1. The client says Hello to the server. 2. If the CA authenticates the certificate successfully, continue or fail. 4. The client informs the server of the encryption algorithm supported by 5. 6. The client generates a random symmetric key, encrypts the key using the server’s public key, and sends the key to the server 7. The server uses the private key for decryption and obtains the symmetric key. 8. The client uses the key to encrypt communication with the server

1, the server side

The parameters corresponding to the keyfile and certfile classes in Section 2 are mandatory, specifying the server certificate and public key, which are transmitted to the client for verification. The pseudo-code is as follows:

socket = ssl.wrap_socket(sock=sock, keyfile=keyfile, certfile=certfile, server_side=True, cert_reqs=ssl.CERT_NONE, ssl_version="ssl.PROTOCOL_TLSv1_2", do_handshake_on_connect=do_handshake_on_connect, Suppress_ragged_eofs =suppress_ragged_eofs, ciphers=ciphers) Enable eventlet.wsgi.server(socket, socket.getsockName (), site, log, environ=environ, max_http_version=max_http_version, protocol=protocol, minimum_chunk_size=minimum_chunk_size, log_x_forwarded_for=log_x_forwarded_for, keepalive=keepalive, log_output=log_output, log_format=log_format, url_length_limit=url_length_limit, debug=debug, socket_timeout=socket_timeout, capitalize_response_headers=capitalize_response_headers, )Copy the code

2, the client side

The verify parameter in the request method must be specified to specify the signing root certificate of the server certificate, which is used to verify the certificate and public key pseudocodes transmitted from the server:

headers = {
	'Content-Type': 'application/json',
	'Accept': 'application/json'
}
kwargs = {
	"headers": headers,
	"verify": "/xxx/xxx.pem",
	"timeout": 60
}

response = requests.request('GET', url, **kwargs)
Copy the code

Verify parameters on the client must be consistent with certfile and keyfile parameters on the server

Four, two-way authentication

Two-way authentication process: 1. The client says Hello to the server 2. The server sends the certificate and public key to the client 3. The CA authenticates the certificate. If the CA authenticates the certificate successfully, the CA authenticates the certificate successfully. If the CA authenticates the certificate successfully, the CA authenticates the certificate successfully. The server authenticates the client certificate. If not, disconnect the client. 6. The client informs the server of the encryption algorithm supported by 7. The server selects the highest encryption algorithm and uses the public key of the client to encrypt the encryption algorithm and sends the encryption algorithm to the client 8. After receiving the packet, the client uses the private key to decrypt it and generates a random symmetric key. The client encrypts the key using the public key of the server and sends the key to server 9. The server uses the private key for decryption and obtains the symmetric key. 10. The client uses the key for subsequent encrypted communication with the server

1, the server side

Ca_certs Specifies the signing root certificate of the client certificate, which is used to verify the certificate and public key transferred from the client. This parameter is mandatory. Cert_reqs must be CERT_REQUIRED pseudocode as follows:

socket = ssl.wrap_socket(sock=sock, keyfile=keyfile, certfile=certfile, server_side=True, cert_reqs=ssl.CERT_REQUIRED, ssl_version="ssl.PROTOCOL_TLSv1_2", ca_certs=cacerts, do_handshake_on_connect=do_handshake_on_connect, Suppress_ragged_eofs =suppress_ragged_eofs, ciphers=ciphers) Enable eventlet.wsgi.server(socket, socket.getsockName (), site, log, environ=environ, max_http_version=max_http_version, protocol=protocol, minimum_chunk_size=minimum_chunk_size, log_x_forwarded_for=log_x_forwarded_for, keepalive=keepalive, log_output=log_output, log_format=log_format, url_length_limit=url_length_limit, debug=debug, socket_timeout=socket_timeout, capitalize_response_headers=capitalize_response_headers, )Copy the code

2, the client side

The cert parameter in the request method must be specified. The cert parameter in the request method must be specified. The cert parameter is required.

headers = {
	'Content-Type': 'application/json',
	'Accept': 'application/json'
}
kwargs = {
	"headers": headers,
	"verify": "/xxx/ca.pem",
	"cert": (
		"/xxx/cert.pem",
		"/xxx/key.pem"),
	"timeout": 60
}

response = requests.request('GET', url, **kwargs)
Copy the code

Verify parameters on the client must be consistent with certfile and keyfile parameters on the server. Cert parameters on the client must be consistent with ca_certs parameters on the server

Zhuanlan.zhihu.com/p/36527074 www.rddoc.com/doc/Python/…