問題描述

我想從多個客戶端子進(jìn)程通過 TLS TCP 套接字將數(shù)據(jù)從客戶端發(fā)送到服務(wù)器，因此我與所有子進(jìn)程共享同一個 ssl 套接字.與一個子進(jìn)程通信，但如果我使用多個子進(jìn)程，TLS 服務(wù)器會崩潰并顯示 ssl.SSLError (SSL3_GET_RECORD:decryption failed or bad record mac).

I want to send data from a client to the server in a TLS TCP socket from multiple client subprocesses so I share the same ssl socket with all subprocesses. Communication works with one subprocess, but if I use more than one subprocesses, the TLS server crashes with an ssl.SSLError (SSL3_GET_RECORD:decryption failed or bad record mac).

更具體:不依賴于哪個進(jìn)程首先調(diào)用SSLSocket.write()方法，但是從這個時(shí)候開始，只有這個進(jìn)程可以調(diào)用它.如果另一個進(jìn)程調(diào)用write()，服務(wù)器會產(chǎn)生上述異常.

More specific: It does not depend which process first calls the SSLSocket.write() method, but this process is the only one from this time on which can call it. If another process calls write(), the server will result in the exception described above.

我使用了這個基本代碼:

I used this basic code:

tlsserver.py

import socket, ssl

def deal_with_client(connstream):
    data = connstream.read()
    while data:
        print data
        data = connstream.read()
    connstream.close()

bindsocket = socket.socket()
bindsocket.bind(('127.0.0.1', 9998))
bindsocket.listen(5)

while True:
    newsocket, fromaddr = bindsocket.accept()
    connstream = ssl.wrap_socket(newsocket,
                                server_side=True,
                                certfile="srv.crt",
                                keyfile="srv.key",
                                ssl_version=ssl.PROTOCOL_TLSv1)
    deal_with_client(connstream)

tlsclient.py

import socket, ssl
import multiprocessing

class SubProc:
    def __init__(self, sock):
        self.sock = sock

    def do(self):
        self.sock.write("Test")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

ssl_sock = ssl.wrap_socket(s)
ssl_sock.connect(('127.0.0.1', 9998))

print "Connected to", repr(ssl_sock.getpeername())

for x in (1,2):
    subproc = SubProc(ssl_sock)
    proc = multiprocessing.Process(target=subproc.do)

這是回溯:

Traceback (most recent call last):
  File "tlsserver.py", line 21, in <module>
    deal_with_client(connstream)
  File "tlsserver.py", line 7, in deal_with_client
    data = connstream.read()
  File "/usr/lib64/python2.6/ssl.py", line 136, in read
    return self._sslobj.read(len)
ssl.SSLError: [Errno 1] _ssl.c:1325: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

推薦答案

問題是您為兩個進(jìn)程重復(fù)使用相同的連接.SSL 加密數(shù)據(jù)的方式使這失敗了——兩個進(jìn)程必須就共享 SSL 連接的狀態(tài)相互通信.即使你確實(shí)讓它工作了，或者如果你沒有使用 SSL，到達(dá)服務(wù)器的數(shù)據(jù)也會一團(tuán)糟；您將無法真正區(qū)分哪些字節(jié)來自哪個進(jìn)程.

The problem is that you're re-using the same connection for both processes. The way SSL encrypts data makes this fail -- the two processes would have to communicate with each other about the state of the shared SSL connection. Even if you do make it work, or if you didn't use SSL, the data would arrive at the server all jumbled up; you would have no real way of distinguishing which bytes came from which process.

您需要做的是通過在 subproc.do 中建立連接，為每個進(jìn)程提供自己的 SSL 連接.或者，根本不讓子進(jìn)程與服務(wù)器通信，而是與主進(jìn)程通信，并讓主進(jìn)程通過 SSL 連接進(jìn)行中繼.

What you need to do is give each process its own SSL connection, by making the connection in subproc.do. Alternatively, don't have the subprocesses communicate with the server at all, but rather communicate with the main process, and have the main process relay it over the SSL connection.

這篇關(guān)于多處理的 Python ssl 問題的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！