使用Python requests库,当该证书提及我无法访问的发行者(不受信任的根)时,我如何信任服务器TLS证书?
换句话说,我想信任服务器证书中提供的公共密钥。我不想完全禁用证书验证,理想情况下,该解决方案不会阻止requests来验证其他有效证书。
使用curl和openssl,我可以设法获得此结果,但是即使使用requests参数,也无法使用verify库重现此结果。
使用URL https://untrusted-root.badssl.com,该URL公开具有不可信根的证书:
# Certificate issuer is not trusted
$ curl https://untrusted-root.badssl.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
...
# Download the server certificate locally to badsslcom.crt
$ openssl s_client -showcerts -servername untrusted-root.badssl.com -connect untrusted-root.badssl.com:443 </dev/null 2>/dev/null | openssl x509 -outform pem > badsslcom.crt
# Now, curl accepts the server certificate
$ curl --cacert badsslcom.crt https://untrusted-root.badssl.com
<!DOCTYPE html>
<html>
...
</html>
但是以下Python代码引发了异常:
import requests
import os
import logging
logging.basicConfig(level=logging.DEBUG)
url = "https://untrusted-root.badssl.com/"
cert = "badsslcom.crt"
if not os.path.exists(cert):
raise ValueError('Can not find cert')
r = requests.get(url, verify=cert)
例外是
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): untrusted-root.badssl.com
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
body=body, headers=headers)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
ssl_version=resolved_ssl_version)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
_context=self)
File "/usr/lib/python3.5/ssl.py", line 752, in __init__
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./test_ssl.py", line 13, in <module>
r = requests.get(url, verify=cert)
File "/usr/lib/python3/dist-packages/requests/api.py", line 67, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 480, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 588, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 447, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
如何在Python中反映curl的行为?将证书添加到Ubuntu 18.04系统存储并将REQUESTS_CA_BUNDLE环境变量指向系统存储也无济于事。