Impossible d'obtenir de certificat client SSL de travail dans la Tornade

J'ai besoin de client-serveur certifié de la communication dans la Tornade. J'ai généré le certificat CA racine et ensuite utilisée pour signer les certificats serveur et client. Quand je la vérification de ces certificats à l'aide d'openssl, tout semble parfait (voir ci-dessous). Mais quand j'utilise les mêmes touches & des certificats dans la Tornade, j'obtiens un "tlsv1 alerte inconnu ca".

Tornade serveur:

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)                                                                                                                            
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain("/home/soustruh/cert/server.cert.pem",
        "/home/soustruh/cert/server.key.pem")
context.load_verify_locations("/home/soustruh/cert/rootCA.pem")

server = tornado.httpserver.HTTPServer(application, ssl_options=context)
server.listen(6090)
tornado.ioloop.IOLoop.instance().start()

Tornade client:

url = "https://127.0.0.1:6090/" 
request = tornado.httpclient.HTTPRequest(url = url, method = "GET", 
        client_key="/home/soustruh/cert/client.key.pem",
        client_cert="/home/soustruh/cert/client.cert.pem")
client = tornado.httpclient.AsyncHTTPClient()
param = yield client.fetch(request, self.handle_request)

Erreur du Client:

WARNING:tornado.general:SSL Error on 10 ('127.0.0.1', 6090): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
Error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

Erreur de serveur:

WARNING:tornado.general:SSL Error on 9 ('127.0.0.1', 47104): [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:598)
ERROR:tornado.general:Uncaught exception
Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/tornado/http1connection.py", line 674, in _server_request_loop
    ret = yield conn.read_response(request_delegate)
  File "/usr/local/lib/python3.4/dist-packages/tornado/gen.py", line 617, in run
    value = future.result()
  File "/usr/local/lib/python3.4/dist-packages/tornado/concurrent.py", line 109, in result
    raise_exc_info(self._exc_info)
  File "<string>", line 3, in raise_exc_info
  File "/usr/local/lib/python3.4/dist-packages/tornado/gen.py", line 620, in run
    yielded = self.gen.throw(*sys.exc_info())
  File "/usr/local/lib/python3.4/dist-packages/tornado/http1connection.py", line 165, in _read_message
    io_loop=self.stream.io_loop)
  File "/usr/local/lib/python3.4/dist-packages/tornado/gen.py", line 617, in run
    value = future.result()
  File "/usr/local/lib/python3.4/dist-packages/tornado/concurrent.py", line 111, in result
    raise self._exception
  File "/usr/local/lib/python3.4/dist-packages/tornado/iostream.py", line 1167, in _do_ssl_handshake
    self.socket.do_handshake()
  File "/usr/lib/python3.4/ssl.py", line 805, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:598)

Et juste pour mémoire, openssl vérification:

openssl verify -CAfile /home/soustruh/cert/rootCA.pem /home/soustruh/cert/server.cert.pem 
/home/soustruh/cert/server.cert.pem: OK
openssl verify -CAfile /home/soustruh/cert/rootCA.pem /home/soustruh/cert/client.cert.pem 
/home/soustruh/cert/client.cert.pem: OK

Quand j'ai créer le serveur et le client à l'aide d'openssl, il travaille trop.

Openssl serveur:

openssl s_server -accept 12345 -cert server.cert.pem -key server.key.pem -CAfile rootCA.pem 
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDBq9HZ1LyiuB7i+UKpwYBVwMB3H2WN6AYZjKulQcDgk
x44vTFGwRL2hcj/3b/eXU76hBgIEU/xOWaIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

Openssl client:

openssl s_client -connect 127.0.0.1:12345 -verify 2 -cert client.cert.pem -key client.key.pem 
verify depth is 2
CONNECTED(00000003)
~
verify error:num=19:self signed certificate in certificate chain
verify return:1
~
verify return:1
~
verify return:1
---
Certificate chain
~~~
---
Server certificate
-----BEGIN CERTIFICATE-----
~~~
-----END CERTIFICATE-----
~~~
---
No client certificate CA names sent
---
SSL handshake has read 3122 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9CDDF8FC4976A85112087356F329AC32FAFCF07E198AA50565B3BE8FE8476E1C
Session-ID-ctx: 
Master-Key: 6AF476752F28AE07B8BE50AA70601570301DC7D9637A0186632AE950703824C78E2F4C51B044BDA1723FF76FF79753BE
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a1 78 18 17 2d db 2f 32-81 31 71 50 09 c0 5a 3e   .x..-./2.1qP..Z>
0010 - 7a de 73 a3 79 30 07 71-ab 3e 77 60 03 17 43 fe   z.s.y0.q.>w`..C.
0020 - bd 8f 71 7a 3f 27 a0 3d-de 74 03 fe c8 3e fe b3   ..qz?'.=.t...>..
0030 - 1e c0 c7 80 64 8f 88 e7-2c 1c a1 6a 32 f1 a9 e7   ....d...,..j2...
0040 - 86 1e b0 a7 ad 55 3d 04-f6 9d 9f a7 75 44 3b d3   .....U=.....uD;.
0050 - 90 1a fc 6b 41 2c 47 aa-b7 70 6c 33 35 ae 1c 54   ...kA,G..pl35..T
0060 - b4 5b 95 9b a7 7b ed 03-73 e3 34 f1 61 6c 9a ac   .[...{..s.4.al..
0070 - 17 c5 0d 65 23 0f da 74-0c ba cc c7 bf e1 c9 67   ...e#..t.......g
0080 - 38 3f 70 78 e5 c5 c3 4e-2d 6b 33 47 30 76 20 00   8?px...N-k3G0v .
0090 - 50 f6 fe dd 0a 88 c3 c0-fa 1f 26 62 f1 14 3f e8   P.........&b..?.
Start Time: 1409044057
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
InformationsquelleAutor Soustruh | 2014-08-26