sslv3 errore di handshake di avviso con richieste openSSL e python

Naviga le tue risposte
3

Sto riscontrando problemi nel richiamo di un'API RESTful protetta tramite SSL reciproco.

Non ho problemi a richiamare l'API in SOAPUI dopo aver fornito il keystore con la chiave privata e pubblica da utilizzare per SSL reciproco.

In uno script python, sto usando sotto snippet per eseguire il reciproco SSL (tramite la libreria delle richieste): 

class MyAdapter(HTTPAdapter):
""""Transport adapter" that allows us to use SSLv3."""

def init_poolmanager(self, connections, maxsize, block=False):
    self.poolmanager = PoolManager(
        num_pools=connections, maxsize=maxsize,
        block=block, ssl_version=ssl.PROTOCOL_TLSv1)
...
s = requests.session()
s.mount("https://", MyAdapter())
req = s.post(
    downstreamURL, data=payload, 
    headers=headers, verify=False,
    cert=("C:\Users\garamirez\Documents\public.pem",   "C:\Users\garamirez\Documents\key.key")

)

Ho testato un'altra API protetta tramite SSL reciproco tramite lo snippet sopra riportato e la libreria delle richieste non ha problemi a inviare il certificato del cliente.

Quando eseguo il mio script, viene visualizzato l'errore seguente: requests.exceptions.SSLError: ("bad handshake: errore ([('routine SSL', 'ssl3_read_bytes', 'sslv3 alert handshake failure')],)",)

Ho eseguito un'acquisizione wirehark per confrontare la differenza tra una chiamata SOAPUI di successo e una chiamata script Python fallita, e non vedo perché la chiamata Python stia fallendo. In entrambi i casi, il client e il server accettano di utilizzare lo stesso protocollo e la stessa suite di crittografia, ma il caso python fallisce subito dopo "Certificato, Scambio chiavi chiave, Verifica certificato, Specifica cifratura, Messaggio crittografato" come mostrato di seguito:

SuccessivasequenzaSOAPUI:

Perl'acquisizionediwireshark,l'APIback-endsupportasoloilcodiceAES128-SHAtramiteTLSv1.

ÈinteressantenotarecheopensslstaanchemostrandounerroredihandshakeSSLv3nonostanteabbiaottenutolacatenacompletadicert:

CONNECTED(00000003)depth=3C=US,O="VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Missouri, L = Saint Louis, O = TALX Corporation, OU = ASG, CN = test.ofx4.talx.com
verify return:1
4294956672:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
4294956672:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
Certificate chain
 0 s:/C=US/ST=Missouri/L=Saint Louis/O=TALX Corporation/OU=ASG/CN=test.ofx4.talx.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
-----BEGIN CERTIFICATE-----
MIIF9jCCBN6gAwIBAgIQKCpgGpygVIFQe23+vDYUeTANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDUxNzAwMDAwMFoX
DTE3MDYwMTIzNTk1OVowfDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE1pc3NvdXJp
MRQwEgYDVQQHDAtTYWludCBMb3VpczEZMBcGA1UECgwQVEFMWCBDb3Jwb3JhdGlv
bjEMMAoGA1UECwwDQVNHMRswGQYDVQQDDBJ0ZXN0Lm9meDQudGFseC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCa06brfaZzDkJbKAvrZm4/SWGR
n8hSICIAMmnm9ho24NoPksv89RZQ/YIGraOidGEBbs4NqFZHJr4llNYtplaBrCWo
/TvkL6cw7a6wyoUysoRbeC2CG/5lSJHahb+1DbLz/mQ9nQNr5HJteHGjNvogHu9t
zFCbDdyC0ga8cwkK3E2V9Ju43mKcvCeKli0REkNiYBW8IzccA1UU6xjHFueqMMb2
CrAz+cAVAy4ibVSo9/gr+5DUwQmxtxx5C7FFpIE36At5Y882Rs7KomlrzhoTylqj
mOi5UesnPR1uroPHcrFC40+Vjt1hoFILzi8vi8JXZ0vfpL0uvyHl38s4/ya7AgMB
AAGjggJwMIICbDAdBgNVHREEFjAUghJ0ZXN0Lm9meDQudGFseC5jb20wCQYDVR0T
BAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8v
ZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5zeW1jYi5j
b20vcnBhMB8GA1UdIwQYMBaAFF9gz2GQVd+EQxSKYCqy9Xr0QxjvMCsGA1UdHwQk
MCIwIKAeoByGGmh0dHA6Ly9zcy5zeW1jYi5jb20vc3MuY3JsMFcGCCsGAQUFBwEB
BEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NzLnN5bWNkLmNvbTAmBggrBgEFBQcw
AoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcnQwggEFBgorBgEEAdZ5AgQCBIH2
BIHzAPEAdgDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVTA9VK7
AAAEAwBHMEUCIGwARfHX5EFfMhp73guRtS2oXlOEQihr79xASUoTJUkLAiEAr/Du
bKMLaS+rQJhNKFVBOjJErixJ7tl36Srn2W3nRq4AdwCkuQmQtBhYFIe7E6LMZ3AK
PDWYBPkb37jjd80OyA3cEAAAAVTA9VLtAAAEAwBIMEYCIQCwyOjQ3zJAWPcpXjJA
pbop4vZ+P+NZC50XwTKCPba0jgIhAMWOqw4gwt1ORkuAtvvxDKvj605dBjuYFa+U
KWOLPGTrMA0GCSqGSIb3DQEBCwUAA4IBAQCSubCGEWBS65++LxIALMHfQc/73UIr
1JQr1lokGN37sYz7mdGNot43/5BoaGG9uIj87GAq1cGW4eV9dEILV6syKoDri5r9
Y1RJCQfQp3jaSIj1kIxbCi0XZIMlv8GLaUUE//vTnW8XPZsKfjUp4xO9VztMoGuc
ndpjCeu4pdYAxaqehL5iwcYklA7MCI2QX5lYYSmK5UF9JVPAELlRNh4k2qXmtz0h
YAb2RY5iVbi8GM9ub6TmT4qdmUFVuRkuK9MQKHZ/9Ez86fcc5u5QHTnN+vgzUjms
2oYeoJ5ThimHu/2/f4p8zF9rnBF9v+Aq4x+dxz0VpkP/F/zSXLYEvCYb
-----END CERTIFICATE-----
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Missouri/L=Saint Louis/O=TALX Corporation/OU=ASG/CN=test.ofx4.talx.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 2 Public Primary Certification Authority - G3
Client Certificate Types: RSA sign
---
SSL handshake has read 4660 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 734CAC5732452D935C1F5CDBC1900BB78E0805205013443C1B4D742D21B82FFD
    Session-ID-ctx:
    Master-Key: BFCB8041D10B303310CADDCF6A987D96E8FE72A05B2D8499410E06B96A326AA6581455DCC5D3755443C4FCA550B7ED83
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1468510438
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Qualcuno ha qualche indicazione su dove posso guardare qui?

    
posta gramirez 14.07.2016 - 17:39
fonte

1 risposta

4

In base all'output openssl s_client il server accetta i certificati emessi dalla seguente CA: 

Acceptable client certificate CA names
/C=US/O=VeriSign...CN=VeriSign Class 1 Public Primary Certification Authority - G3
/C=US/O=VeriSign...CN=VeriSign Class 2 Public Primary Certification Authority - G3

Tuttavia, il certificato client che hai inviato ha il seguente emittente: 

Issuer... CN=Symantec Class 2 Shared Intermediate Certificate Authority

Questo non è un emittente accettato dal server. Poiché non vengono inviati certificati intermedi dal client che potrebbero generare una catena di fiducia in una delle due CA che il server gradisce l'handshake avrà esito negativo.

La mia ipotesi è che nella versione funzionante il client invia il certificato foglia e anche un certificato intermedio in modo che la catena di fiducia possa essere costruita. Ma dal momento che il pcap contiene solo un riutilizzo della sessione e non un'intera stretta di mano, questa ipotesi non può essere verificata sulla base delle informazioni fornite.

    
risposta data 15.07.2016 - 13:29
fonte

Leggi altre domande sui tag

Posso ingannare un server di posta per inviarmi un'email? Possibilità di SQLI nella seguente richiesta?