使用Pythonrequests库,当该证书提到我无法访问的颁发者(不受信任的根)时,如何信任服务器TLS证书?在
换句话说,我希望信任服务器证书中提供的公钥。{1>理想情况下,{1>不想完全禁用证书验证。在
使用curl和openssl,我可以设法得到这个结果,但是我无法使用requests库,甚至使用verify参数来重现这个结果。在# Certificate issuer is not trusted
$ curl https://untrusted-root.badssl.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
...
# Download the server certificate locally to badsslcom.crt
$ openssl s_client -showcerts -servername untrusted-root.badssl.com -connect untrusted-root.badssl.com:443 /dev/null | openssl x509 -outform pem > badsslcom.crt
# Now, curl accepts the server certificate
$ curl --cacert badsslcom.crt https://untrusted-root.badssl.com
...
但是,以下Python代码会引发异常:
^{pr2}$
例外情况是INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): untrusted-root.badssl.com
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
body=body, headers=headers)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
ssl_version=resolved_ssl_version)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
_context=self)
File "/usr/lib/python3.5/ssl.py", line 752, in __init__
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./test_ssl.py", line 13, in
r = requests.get(url, verify=cert)
File "/usr/lib/python3/dist-packages/requests/api.py", line 67, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 480, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 588, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 447, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
如何在Python中镜像curl行为?将证书添加到ubuntu18.04系统存储并将REQUESTS_CA_BUNDLE环境变量指向系统存储也没有帮助。在