1)下载 openssl并安装,这里 下载的是 Win64OpenSSL-3_1_2.exe
from : Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
安装到: C:\OpenSSL-Win64
并 在系统设置中,在path中添加 : C:\OpenSSL-Win64\bin
2)打开cmd, 生成公私钥:(在要生成文件的地方打开cmd)
# 生成私钥
openssl genrsa -out ca.key 2048
openssl genrsa -out server.key 2048
openssl genrsa -out client.key 2048
# 根据私钥创建证书请求文件,需要输入一些证书的元信息
openssl req -new -key ca.key -out ca.csr
openssl req -new -key server.key -out server.csr
openssl req -new -key client.key -out client.csr
# 元信息(三个都一样)
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuanDong
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SouthKing
Organizational Unit Name (eg, section) []:SouthKing
Common Name (e.g. server FQDN or YOUR name) []:SK
Email Address []:SK
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:qcrm.ssl
An optional company name []:qcrm.ssl
# 结合私钥和请求文件,创建自签署证书
openssl x509 -req -in ca.csr -out ca.crt -sha1 -days 5000 -signkey ca.key
openssl x509 -req -in server.csr -out server.crt -sha1 -CAcreateserial -days 5000 -CA ca.crt -CAkey ca.key
openssl x509 -req -in client.csr -out client.crt -sha1 -CAcreateserial -days 5000 -CA ca.crt -CAkey ca.key
在服务器中,需要: server.key, server.crt
这里,将其copy到 static/cert目录下,然后在 main.py中如下设置:
from flask import Flask, render_template, redirect, url_for, request
from gevent import pywsgi
import requests
import hashlib
。。。
if __name__ == "__main__":
server = pywsgi.WSGIServer(('192.168.0.101',8080),app,keyfile='./static/cert/server.key',certfile='./static/cert/server.crt')
server.serve_forever()
注: 可能需要安装 pyOnenSSL: pip install pyOpenSSL
web客户端则需要在地址栏中输入: https://192.168.0.101:8080, 如下:
如果是胖客户端,如使用python的客户端,则需要使用client.key; (此python代码可能有问题)
import urllib.request
import ssl
if __name__ == '__main__':
CA_FILE = "./static/cert/ca.crt"
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname = False
context.load_verify_locations(CA_FILE)
context.verify_mode = ssl.CERT_REQUIRED
try:
request = urllib.request.Request('https://192.168.0.101:8080')
res = urllib.request.urlopen(request, context=context)
print(res.code)
print(res.read().decode("utf-8"))
except Exception as ex:
print("Found Error in auth phase:%s" % str(ex))