Sto riscontrando problemi nel richiamo di un'API RESTful protetta tramite SSL reciproco.
Non ho problemi a richiamare l'API in SOAPUI dopo aver fornito il keystore con la chiave privata e pubblica da utilizzare per SSL reciproco.
In uno script python, sto usando sotto snippet per eseguire il reciproco SSL (tramite la libreria delle richieste):
class MyAdapter(HTTPAdapter):
""""Transport adapter" that allows us to use SSLv3."""
def init_poolmanager(self, connections, maxsize, block=False):
self.poolmanager = PoolManager(
num_pools=connections, maxsize=maxsize,
block=block, ssl_version=ssl.PROTOCOL_TLSv1)
...
s = requests.session()
s.mount("https://", MyAdapter())
req = s.post(
downstreamURL, data=payload,
headers=headers, verify=False,
cert=("C:\Users\garamirez\Documents\public.pem", "C:\Users\garamirez\Documents\key.key")
)
Ho testato un'altra API protetta tramite SSL reciproco tramite lo snippet sopra riportato e la libreria delle richieste non ha problemi a inviare il certificato del cliente.
Quando eseguo il mio script, viene visualizzato l'errore seguente: requests.exceptions.SSLError: ("bad handshake: errore ([('routine SSL', 'ssl3_read_bytes', 'sslv3 alert handshake failure')],)",)
Ho eseguito un'acquisizione wirehark per confrontare la differenza tra una chiamata SOAPUI di successo e una chiamata script Python fallita, e non vedo perché la chiamata Python stia fallendo. In entrambi i casi, il client e il server accettano di utilizzare lo stesso protocollo e la stessa suite di crittografia, ma il caso python fallisce subito dopo "Certificato, Scambio chiavi chiave, Verifica certificato, Specifica cifratura, Messaggio crittografato" come mostrato di seguito:
SuccessivasequenzaSOAPUI:
Perl'acquisizionediwireshark,l'APIback-endsupportasoloilcodiceAES128-SHAtramiteTLSv1.
ÈinteressantenotarecheopensslstaanchemostrandounerroredihandshakeSSLv3nonostanteabbiaottenutolacatenacompletadicert:
CONNECTED(00000003)depth=3C=US,O="VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Missouri, L = Saint Louis, O = TALX Corporation, OU = ASG, CN = test.ofx4.talx.com
verify return:1
4294956672:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
4294956672:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
Certificate chain
0 s:/C=US/ST=Missouri/L=Saint Louis/O=TALX Corporation/OU=ASG/CN=test.ofx4.talx.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
-----BEGIN CERTIFICATE-----
MIIF9jCCBN6gAwIBAgIQKCpgGpygVIFQe23+vDYUeTANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDUxNzAwMDAwMFoX
DTE3MDYwMTIzNTk1OVowfDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE1pc3NvdXJp
MRQwEgYDVQQHDAtTYWludCBMb3VpczEZMBcGA1UECgwQVEFMWCBDb3Jwb3JhdGlv
bjEMMAoGA1UECwwDQVNHMRswGQYDVQQDDBJ0ZXN0Lm9meDQudGFseC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCa06brfaZzDkJbKAvrZm4/SWGR
n8hSICIAMmnm9ho24NoPksv89RZQ/YIGraOidGEBbs4NqFZHJr4llNYtplaBrCWo
/TvkL6cw7a6wyoUysoRbeC2CG/5lSJHahb+1DbLz/mQ9nQNr5HJteHGjNvogHu9t
zFCbDdyC0ga8cwkK3E2V9Ju43mKcvCeKli0REkNiYBW8IzccA1UU6xjHFueqMMb2
CrAz+cAVAy4ibVSo9/gr+5DUwQmxtxx5C7FFpIE36At5Y882Rs7KomlrzhoTylqj
mOi5UesnPR1uroPHcrFC40+Vjt1hoFILzi8vi8JXZ0vfpL0uvyHl38s4/ya7AgMB
AAGjggJwMIICbDAdBgNVHREEFjAUghJ0ZXN0Lm9meDQudGFseC5jb20wCQYDVR0T
BAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8v
ZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5zeW1jYi5j
b20vcnBhMB8GA1UdIwQYMBaAFF9gz2GQVd+EQxSKYCqy9Xr0QxjvMCsGA1UdHwQk
MCIwIKAeoByGGmh0dHA6Ly9zcy5zeW1jYi5jb20vc3MuY3JsMFcGCCsGAQUFBwEB
BEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NzLnN5bWNkLmNvbTAmBggrBgEFBQcw
AoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcnQwggEFBgorBgEEAdZ5AgQCBIH2
BIHzAPEAdgDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVTA9VK7
AAAEAwBHMEUCIGwARfHX5EFfMhp73guRtS2oXlOEQihr79xASUoTJUkLAiEAr/Du
bKMLaS+rQJhNKFVBOjJErixJ7tl36Srn2W3nRq4AdwCkuQmQtBhYFIe7E6LMZ3AK
PDWYBPkb37jjd80OyA3cEAAAAVTA9VLtAAAEAwBIMEYCIQCwyOjQ3zJAWPcpXjJA
pbop4vZ+P+NZC50XwTKCPba0jgIhAMWOqw4gwt1ORkuAtvvxDKvj605dBjuYFa+U
KWOLPGTrMA0GCSqGSIb3DQEBCwUAA4IBAQCSubCGEWBS65++LxIALMHfQc/73UIr
1JQr1lokGN37sYz7mdGNot43/5BoaGG9uIj87GAq1cGW4eV9dEILV6syKoDri5r9
Y1RJCQfQp3jaSIj1kIxbCi0XZIMlv8GLaUUE//vTnW8XPZsKfjUp4xO9VztMoGuc
ndpjCeu4pdYAxaqehL5iwcYklA7MCI2QX5lYYSmK5UF9JVPAELlRNh4k2qXmtz0h
YAb2RY5iVbi8GM9ub6TmT4qdmUFVuRkuK9MQKHZ/9Ez86fcc5u5QHTnN+vgzUjms
2oYeoJ5ThimHu/2/f4p8zF9rnBF9v+Aq4x+dxz0VpkP/F/zSXLYEvCYb
-----END CERTIFICATE-----
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Missouri/L=Saint Louis/O=TALX Corporation/OU=ASG/CN=test.ofx4.talx.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 2 Public Primary Certification Authority - G3
Client Certificate Types: RSA sign
---
SSL handshake has read 4660 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 734CAC5732452D935C1F5CDBC1900BB78E0805205013443C1B4D742D21B82FFD
Session-ID-ctx:
Master-Key: BFCB8041D10B303310CADDCF6A987D96E8FE72A05B2D8499410E06B96A326AA6581455DCC5D3755443C4FCA550B7ED83
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1468510438
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Qualcuno ha qualche indicazione su dove posso guardare qui?