tls请求
A common problem encountered by Requests users is that they need to perform some specific configuration of TLS. This can happen for a number of reasons, but the most common problem is that Requests has a default TLS configuration that is fairly strict. In particular, we recently removed support for all cipher suites that use the 3DES stream cipher. Unfortunately, for many older servers (particularly those that do not support TLSv1.1 or TLSv1.2), these were the last cipher suites we had in common with those servers.
请求用户遇到的一个常见问题是他们需要执行TLS的某些特定配置。 发生这种情况的原因有很多,但最常见的问题是“请求”具有非常严格的默认TLS配置。 特别是,我们最近删除了对所有使用3DES流密码的密码套件的支持。 不幸的是,对于许多较旧的服务器(尤其是不支持TLSv1.1或TLSv1.2的服务器),这些是我们与这些服务器共有的最新密码套件。
Now, removing 3DES was in general the right thing to do. Recent advances in cryptanalysis mean that 3DES is insecure for bulk-transfer: a long-lived connection that transfers a large amount of data using 3DES can be attacked and can have encrypted data exfiltrated by a determined attacker. Of course, for many users this is not a plausible attack vector (for example, one-off scripts that do batch work), but we need to protect all our users, and the only way to ensure that users are not accidentally exposed to this attack is to remove it from our list altogether.
现在,删除3DES通常是正确的选择。 密码分析的最新进展意味着3DES对于批量传输是不安全的:使用3DES传输大量数据的长期连接可能会受到攻击,并且确定的攻击者可能窃取了加密的数据。 当然,对于许多用户而言,这不是一个合理的攻击手段(例如,执行批处理的一次性脚本),但是我们需要保护所有用户,这是确保用户不会意外受到此攻击的唯一方法攻击是将其从我们的列表中完全删除 。
Naturally, a number of users want to add this back. Historically this was a difficult thing to do in Requests, but in more recent versions (since v2.12.0) it has become possible to get extremely low-level configuration of Requests’ TLS settings on a per-host level. This blog post will demonstrate how to do this to specifically re-add 3DES support for a single host, but in general this allows arbitrarily-detailed TLS configuration.
自然,许多用户都希望将此添加回去。 从历史上看,在请求中很难做到这一点,但是在最新版本(自v2.12.0起)中,已经可以在每个主机级别上获得请求的TLS设置的极低级别配置。 这篇博客文章将演示如何执行此操作以专门为单个主机重新添加3DES支持,但是通常,这允许任意详细的TLS配置。
这个怎么运作 (How It Works)
The feature added in Requests v2.12.0 is that urllib3 now accepts an SSLContext object in the constructors for ConnectionPool objects. This SSLContext will be used as the factory for the underlying TLS connection, and so all settings applied to it will also be applied to those low-level connections.
请求v2.12.0中添加的功能是urllib3现在在ConnectionPool对象的构造函数中接受SSLContext对象。 此SSLContext将用作基础TLS连接的工厂,因此应用于它的所有设置也将应用于这些低级连接。
The best way to do this is to use the SSLContext factory function requests.packages.urllib3.util.ssl_.create_urllib3_context. This is analogous to Python’s ssl.create_default_context function but applies the more-strict default TLS configuration that Requests and urllib3 both use. This function will return an SSLContext object that can then have further configuration applied. On top of that, the function also takes a few arguments to allow overriding default configuration.
要做到这一点,最好的办法是使用SSLContext工厂函数requests.packages.urllib3.util.ssl_.create_urllib3_context 。 这类似于Python的ssl.create_default_context函数,但应用了Requests和urllib3都使用的更严格的默认TLS配置。 该函数将返回一个SSLContext对象,然后可以应用进一步的配置。 最重要的是,该函数还接受一些参数以允许覆盖默认配置。
To provide the new SSLContext object, you will need to write a TransportAdapter that is appropriate for the given host.
要提供新的SSLContext对象,您将需要编写适合于给定主机的TransportAdapter 。
Below is an example of how to re-enable 3DES in Requests using this method.
下面是如何使用此方法在请求中重新启用3DES的示例。
import requests from requests.adapters import HTTPAdapter from requests.packages.urllib3.util.ssl_ import create_urllib3_context # This is the 2.11 Requests cipher string, containing 3DES. CIPHERS = ( 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:' 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:' '!eNULL:!MD5' ) class DESAdapter(HTTPAdapter): """ A TransportAdapter that re-enables 3DES support in Requests. """ def init_poolmanager(self, *args, **kwargs): context = create_urllib3_context(ciphers=CIPHERS) kwargs['ssl_context'] = context return super(DESAdapter, self).init_poolmanager(*args, **kwargs) def proxy_manager_for(self, *args, **kwargs): context = create_urllib3_context(ciphers=CIPHERS) kwargs['ssl_context'] = context return super(DESAdapter, self).proxy_manager_for(*args, **kwargs) s = requests.Session() s.mount('https://some-3des-only-host.com', DESAdapter()) r = s.get('https://some-3des-only-host.com/some-path')import requests from requests.adapters import HTTPAdapter from requests.packages.urllib3.util.ssl_ import create_urllib3_context # This is the 2.11 Requests cipher string, containing 3DES. CIPHERS = ( 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:' 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:' '!eNULL:!MD5' ) class DESAdapter(HTTPAdapter): """ A TransportAdapter that re-enables 3DES support in Requests. """ def init_poolmanager(self, *args, **kwargs): context = create_urllib3_context(ciphers=CIPHERS) kwargs['ssl_context'] = context return super(DESAdapter, self).init_poolmanager(*args, **kwargs) def proxy_manager_for(self, *args, **kwargs): context = create_urllib3_context(ciphers=CIPHERS) kwargs['ssl_context'] = context return super(DESAdapter, self).proxy_manager_for(*args, **kwargs) s = requests.Session() s.mount('https://some-3des-only-host.com', DESAdapter()) r = s.get('https://some-3des-only-host.com/some-path')
翻译自: https://www.pybloggers.com/2017/02/configuring-tls-with-requests/
tls请求
扫一扫
1810
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
