Sample Python SSL protocol from docs gives message "Connection reset by peer"

I am trying to run the example code provided in the documentation for the module ssl

here: http://docs.python.org/2/library/ssl.html#client-side-operation

The server side code is similar to the example given in the documentation and throws this exception:

Traceback (most recent call last):
  File "serve.py", line 16, in <module>
    ssl_version=ssl.PROTOCOL_TLSv1)
  File "/usr/lib/python2.7/ssl.py", line 381, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 143, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
socket.error: [Errno 104] Connection reset by peer

      

And client side code, also similar to the example in the documentation, throws this exception:

Traceback (most recent call last):
  File "client.py", line 8, in <module>
    ssl_sock.connect((host, port))
  File "/usr/lib/python2.7/ssl.py", line 331, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python2.7/ssl.py", line 324, in _real_connect
    raise e
socket.error: [Errno 104] Connection reset by peer

      

As far as I can see, I copied the examples given in the documentation pretty closely, so I don't know what the problem is. All my TCP, UDP and ICMP ports are open, so I don't think this is a firewall issue.

(I edited this question to shorten my code for brevity, as it is indeed very similar to the example in the link. If you want to see my code, take a look at the history of this question.) Sub>

+2


source to share


1 answer


I found the problem. I generated a private key and certificate using the command as follows:

$ openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem
Generating a 1024 bit RSA private key
# ...
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MyState
Locality Name (eg, city) []:Some City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Organization, Inc.
Organizational Unit Name (eg, section) []:My Group
Common Name (eg, YOUR name) []:myserver.mygroup.myorganization.com
Email Address []:ops@myserver.mygroup.myorganization.com
$

      

The most important part is that the "common name" entered must match the domain name of the server. I thought that when cacerts

there is ssl.CERT_NONE

, which is the default for wrap_socket

, it will not be checked, but I was wrong. He always checked. One night to sleep and this is the first thing I decided to check!



Hopefully this will be helpful to someone getting this cryptic error message.

If this does not solve the problem, you may run into deep package inspection . I got this error again when I was on a university network, but not on any other network, and I'm sure it was due to deep packet inspection.

+4


source







All Articles