tls 双向认证 client端代码例子
example:
python
1 import httplib 2 import json 3 import ssl 4 import urllib2 5 import requests 6 7 8 CA_FILE = "etc/rdtagent/cert/server/ca.pem" 9 CLIENT_CERT_FILE = "etc/rdtagent/cert/client/cert.pem" 10 CLIENT_KEY_FILE = "etc/rdtagent/cert/client/key.pem" # This is your client cert! 11 HOST = "127.0.0.1" 12 PORT = 8443 13 14 CACHE_URL = "/v1/cache" 15 16 context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=CA_FILE) 17 context.load_cert_chain(certfile=CLIENT_CERT_FILE, keyfile=CLIENT_KEY_FILE) 18 19 connection = httplib.HTTPSConnection(HOST, port=PORT, context=context) 20 # pem code 21 # auth_header = 'Basic %s' % (":".join(["myusername","mypassword"]).encode('Base64').strip('\r\n')) 22 # connection.request("POST", "/","",{'Authorization':auth_header}) 23 connection.request('GET', CACHE_URL) 24 response = connection.getresponse() 25 print(response.status, response.reason) 26 27 data = response.read() 28 print(json.loads(data)) 29 30 connection.close() 31 32 33 34 # http://docs.python-requests.org/en/latest/ 35 res = requests.get("https://"+HOST+":"+str(PORT)+CACHE_URL, verify=CA_FILE, cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), auth=('user', 'pass')) 36 print res.json() 37 38 39 # HTTPS Client Auth solution for urllib2, inspired by 40 # http://bugs.python.org/issue3466 41 # and improved by David Norton of Three Pillar Software. In this 42 # implementation, we use properties passed in rather than static module 43 # fields. 44 class HTTPSClientAuthHandler(urllib2.HTTPSHandler): 45 def __init__(self, ca, key, cert): 46 urllib2.HTTPSHandler.__init__(self) 47 self.ca = ca 48 self.key = key 49 self.cert = cert 50 def https_open(self, req): 51 #Rather than pass in a reference to a connection class, we pass in 52 # a reference to a function which, for all intents and purposes, 53 # will behave as a constructor 54 return self.do_open(self.getConnection, req) 55 def getConnection(self, host): 56 print "*" * 80 57 print host 58 context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=self.ca) 59 context.load_cert_chain(certfile=self.cert, keyfile=self.key) 60 return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, context=context) 61 62 63 # cert_handler = HTTPSClientAuthHandler(CA_FILE, CLIENT_KEY_FILE, CLIENT_CERT_FILE) 64 # opener = urllib2.build_opener(cert_handler) 65 # urllib2.install_opener(opener) 66 67 # https://docs.python.org/2/library/urllib2.html#examples 68 f = urllib2.urlopen("https://"+HOST+":"+str(PORT)+CACHE_URL, context=context) 69 print json.loads(f.read())
shell中直接执行:
python -c ' import requests CA_FILE = "etc/rdtagent/cert/server/ca.pem" CLIENT_CERT_FILE = "etc/rdtagent/cert/client/cert.pem" CLIENT_KEY_FILE = "etc/rdtagent/cert/client/key.pem" # This is your client cert! HOST = "127.0.0.1" PORT = 8443 CACHE_URL = "/v1/cache" print requests.get("https://"+HOST+":"+str(PORT)+CACHE_URL, verify=CA_FILE, cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), auth=("user", "pass")).json() '
CA_FILE="etc/rdtagent/cert/server/ca.pem" CLIENT_CERT_FILE="etc/rdtagent/cert/client/cert.pem" CLIENT_KEY_FILE="etc/rdtagent/cert/client/key.pem" # This is your client cert! HOST="127.0.0.1" PORT=8443 CACHE_URL="/v1/cache" PASSWORD="pass" USER="user" python -c " import requests print requests.get('https://'+'$HOST'+':'+str($PORT)+'$CACHE_URL', verify='$CA_FILE', cert=('$CLIENT_CERT_FILE', '$CLIENT_KEY_FILE'), auth=('$USER', '$PASSWORD')).json() "
Golang
$ cat goclient.go
1 package main 2 3 import ( 4 "crypto/tls" 5 "crypto/x509" 6 "flag" 7 "fmt" 8 "io/ioutil" 9 "log" 10 "net/http" 11 _ "os" 12 ) 13 14 var ( 15 certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.") 16 keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.") 17 caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.") 18 url = flag.String("url", "resource url", "The url of resource that client request.") 19 ) 20 21 func main() { 22 23 flag.Parse() 24 //os.Getenv("HOST")) 25 // Load client cert 26 cert, err := tls.LoadX509KeyPair(*certFile, *keyFile) 27 if err != nil { 28 log.Fatal(err) 29 } 30 31 // Load CA cert 32 caCert, err := ioutil.ReadFile(*caFile) 33 if err != nil { 34 log.Fatal(err) 35 } 36 caCertPool := x509.NewCertPool() 37 caCertPool.AppendCertsFromPEM(caCert) 38 39 // Setup HTTPS client 40 tlsConfig := &tls.Config{ 41 Certificates: []tls.Certificate{cert}, 42 RootCAs: caCertPool, 43 } 44 tlsConfig.BuildNameToCertificate() 45 transport := &http.Transport{TLSClientConfig: tlsConfig} 46 client := &http.Client{Transport: transport} 47 48 resp, err := client.Get(*url) 49 if err != nil { 50 fmt.Println(err) 51 } 52 contents, err := ioutil.ReadAll(resp.Body) 53 fmt.Printf("%s\n", string(contents)) 54 }
$
CA_FILE="etc/rdtagent/cert/server/ca.pem" CLIENT_CERT_FILE="etc/rdtagent/cert/client/cert.pem" CLIENT_KEY_FILE="etc/rdtagent/cert/client/key.pem" # This is your client cert! PASSWORD="pass" USER="user" CACHE_URL="https://127.0.0.1:8443/v1/cache" $ go run goclient.go -CA $CA_FILE -cert $CLIENT_CERT_FILE -key $CLIENT_KEY_FILE -url $CACHE_URL
