在PyOpenSSL中,离线验证证书链时,我可以设置验证标志:
# # # # # # # # # # # OpenSSL.Crypto # # # # # # # # # # #
trusted_certs = X509Store() # init Certificate store
check.trusted_certs.set_flags(0x80000) # X509_V_FLAG_PARTIAL_CHAIN
int_cert = load_certificate(FILETYPE_PEM, int_ca_cert_pem)
check.trusted_certs.add_cert(int_cert)
这是有效的";如果至少有一个证书在可信存储"中,则允许部分链。
当我创建到服务器的实际连接时,我找不到set_flags的API。我是不是错过了API?
# # # # # # # # # # # Socket # # # # # # # # # # #
sock = socket()
sock.setblocking(True)
sock.connect_ex(sock.getsockname())
des = (host, 443)
print('[*]Connect issued...')
sock.connect(des)
print('[*]connected: {0}t{1}'.format(host, sock.getpeername()))
# # # # # # # # # # # Context # # # # # # # # # # #
context = Context(TLSv1_2_METHOD)
context.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_NO_TLSv1)
ca_dir = Path(getcwd() + '/ca_files')
context.load_verify_locations(cafile=None, capath=ca_dir.__bytes__())
context.set_verify(VERIFY_PEER, verify_cb)
# # # # # # # # # # # Create TLS client # # # # # # # # # # #
tls_client = Connection(context, sock)
tls_client.set_connect_state()
try:
tls_client.do_handshake()
好的,找到了答案。
context.get_cert_store().set_flags(0x80000)
将此保留在SO上,以供其他使用PyOpenSSL和set_flags遇到相同问题的人使用。