tls 双向认证 client端代码例子

example:

python

 import httplib
 import json
 import ssl
 import urllib2
 import requests

 CA_FILE = "etc/rdtagent/cert/server/ca.pem"
 CLIENT_CERT_FILE = "etc/rdtagent/cert/client/cert.pem"
 CLIENT_KEY_FILE = "etc/rdtagent/cert/client/key.pem" # This is your client cert!
 HOST = "127.0.0.1"
 PORT = 8443

 CACHE_URL = "/v1/cache"

 context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=CA_FILE)
 context.load_cert_chain(certfile=CLIENT_CERT_FILE, keyfile=CLIENT_KEY_FILE)

 connection = httplib.HTTPSConnection(HOST, port=PORT, context=context)
 # pem code
 # auth_header = 'Basic %s' % (":".join(["myusername","mypassword"]).encode('Base64').strip('\r\n'))
 # connection.request("POST", "/","",{'Authorization':auth_header})
 connection.request('GET', CACHE_URL)
 response = connection.getresponse()
 print(response.status, response.reason)

 data = response.read()
 print(json.loads(data))

 connection.close()

 # http://docs.python-requests.org/en/latest/
 res = requests.get("https://"+HOST+":"+str(PORT)+CACHE_URL, verify=CA_FILE, cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), auth=('user', 'pass'))
 print res.json()

 # HTTPS Client Auth solution for urllib2, inspired by
 # http://bugs.python.org/issue3466
 # and improved by David Norton of Three Pillar Software. In this
 # implementation, we use properties passed in rather than static module
 # fields.
 class HTTPSClientAuthHandler(urllib2.HTTPSHandler):
     def __init__(self, ca, key, cert):
         urllib2.HTTPSHandler.__init__(self)
         self.ca = ca
         self.key = key
         self.cert = cert
     def https_open(self, req):
         #Rather than pass in a reference to a connection class, we pass in
         # a reference to a function which, for all intents and purposes,
         # will behave as a constructor
         return self.do_open(self.getConnection, req)
     def getConnection(self, host):
         print "*" * 80
         print host
         context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=self.ca)
         context.load_cert_chain(certfile=self.cert, keyfile=self.key)
         return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, context=context)

 # cert_handler = HTTPSClientAuthHandler(CA_FILE, CLIENT_KEY_FILE, CLIENT_CERT_FILE)
 # opener = urllib2.build_opener(cert_handler)
 # urllib2.install_opener(opener)

 # https://docs.python.org/2/library/urllib2.html#examples
 f = urllib2.urlopen("https://"+HOST+":"+str(PORT)+CACHE_URL, context=context)
 print json.loads(f.read())

shell中直接执行：

python -c '
import requests
CA_FILE = "etc/rdtagent/cert/server/ca.pem"
CLIENT_CERT_FILE = "etc/rdtagent/cert/client/cert.pem"
CLIENT_KEY_FILE = "etc/rdtagent/cert/client/key.pem" # This is your client cert!
HOST = "127.0.0.1"
PORT = 8443

CACHE_URL = "/v1/cache"
print requests.get("https://"+HOST+":"+str(PORT)+CACHE_URL, verify=CA_FILE, cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), auth=("user", "pass")).json()
'

CA_FILE="etc/rdtagent/cert/server/ca.pem"
CLIENT_CERT_FILE="etc/rdtagent/cert/client/cert.pem"
CLIENT_KEY_FILE="etc/rdtagent/cert/client/key.pem" # This is your client cert!
HOST="127.0.0.1"
PORT=8443
CACHE_URL="/v1/cache"
PASSWORD="pass"
USER="user"
python -c "
import requests
print requests.get('https://'+'$HOST'+':'+str($PORT)+'$CACHE_URL', verify='$CA_FILE', cert=('$CLIENT_CERT_FILE', '$CLIENT_KEY_FILE'), auth=('$USER', '$PASSWORD')).json()
"

Golang

$ cat goclient.go

 package main

 import (
         "crypto/tls"
         "crypto/x509"
         "flag"
         "fmt"
         "io/ioutil"
         "log"
         "net/http"
         _ "os"
 )

 var (
         certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
         keyFile  = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
         caFile   = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
         url      = flag.String("url", "resource url", "The url of resource that client request.")
 )

 func main() {

         flag.Parse()
         //os.Getenv("HOST"))
         // Load client cert
         cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
         if err != nil {
                 log.Fatal(err)
         }

         // Load CA cert
         caCert, err := ioutil.ReadFile(*caFile)
         if err != nil {
                 log.Fatal(err)
         }
         caCertPool := x509.NewCertPool()
         caCertPool.AppendCertsFromPEM(caCert)

         // Setup HTTPS client
         tlsConfig := &tls.Config{
                 Certificates: []tls.Certificate{cert},
                 RootCAs:      caCertPool,
         }
         tlsConfig.BuildNameToCertificate()
         transport := &http.Transport{TLSClientConfig: tlsConfig}
         client := &http.Client{Transport: transport}

         resp, err := client.Get(*url)
         if err != nil {
                 fmt.Println(err)
         }
         contents, err := ioutil.ReadAll(resp.Body)
         fmt.Printf("%s\n", string(contents))
 }

$

CA_FILE="etc/rdtagent/cert/server/ca.pem"
CLIENT_CERT_FILE="etc/rdtagent/cert/client/cert.pem"
CLIENT_KEY_FILE="etc/rdtagent/cert/client/key.pem" # This is your client cert!
PASSWORD="pass"
USER="user"
CACHE_URL="https://127.0.0.1:8443/v1/cache"
$ go run goclient.go -CA $CA_FILE -cert $CLIENT_CERT_FILE -key $CLIENT_KEY_FILE -url $CACHE_URL

How Certificate Revocation Works