Python SSL验证适用于wget,但不适用于请求模块

时间:2020-04-17 13:11:45

标签: python python-2.7 openssl python-requests

SSL验证可与wget一起使用,但对于带有python请求模块的自签名证书,抛出SSL验证失败错误。

自签名证书:

[root@abc ssl]# openssl x509 -in CertBundle.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c8:ce:ab:e3:65:e3:f3:6d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=PL, ST=Dolnoslaskie, L=Wroclaw, O=abc company, OU=MN Mobile Networks, CN=10.x.x.253
        Validity
            Not Before: Apr  1 15:08:54 2020 GMT
            Not After : Apr  1 15:08:54 2021 GMT
        Subject: C=PL, ST=Dolnoslaskie, L=Wroclaw, O=abc company, OU=MN Mobile Networks, CN=10.x.x.253
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:d3:f8:82:9c:af:bf:43:a1:7e:8c:a9:7e:cb:
                    49:56:27:f5:c7:47:0f:6c:61:8b:5f:99:ce:7f:12:
                    8f:55:6b:25:83:69:4d:11:13:a7:a2:19:2c:df:1c:
                    52:8a:ee:a2:b2:6e:b6:9c:be:04:6d:8b:82:a1:0b:
                    8e:e6:69:07:a6:9b:30:54:54:e9:43:6c:a6:b2:05:
                    74:16:16:aa:93:69:01:08:55:f7:17:b6:a7:24:a4:
                    e9:c1:c3:c1:ae:c7:29:0d:d6:31:dc:72:26:6b:61:
                    52:3a:20:67:92:40:c7:bd:48:4e:11:99:1d:4a:2c:
                    4c:b6:7b:95:a9:a8:59:38:21:3c:98:a8:0c:88:1b:
                    20:16:9a:77:ac:c3:ec:b6:3c:19:9b:45:98:01:71:
                    1e:36:de:cc:2b:8d:54:44:e6:53:a2:a5:46:3c:28:
                    b7:41:aa:de:95:c4:41:56:10:24:c3:e6:be:cc:9a:
                    c4:70:24:5c:48:d2:c0:52:01:99:b2:2a:32:04:b0:
                    af:30:b0:4f:94:a6:11:8b:7f:7b:9f:54:f8:e9:4c:
                    d0:d0:52:ea:47:71:81:2d:2f:f5:47:31:45:19:cf:
                    e8:07:b0:0b:a9:93:86:5f:67:14:b6:c7:b7:42:ed:
                    a4:b0:88:c4:70:03:a7:9f:72:4a:67:c9:28:55:c2:
                    b3:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                29:D9:B1:FF:9A:46:00:F9:90:DE:37:EF:AA:97:7E:9A:D4:3A:D3:C9
            X509v3 Authority Key Identifier:
                keyid:29:D9:B1:FF:9A:46:00:F9:90:DE:37:EF:AA:97:7E:9A:D4:3A:D3:C9

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         2c:3b:e3:d3:6c:97:ce:8c:37:54:a7:91:80:31:75:15:35:34:
         31:37:52:5d:8e:3f:33:ec:13:06:59:67:97:eb:7e:15:71:01:
         31:66:09:65:38:ff:14:e7:ad:71:34:de:25:a7:bc:34:97:78:
         18:74:96:bf:0a:a2:79:7a:35:29:91:9a:05:59:78:4f:0c:38:
         29:10:83:6a:d6:8f:43:9e:49:5b:ee:41:1c:dc:a6:1e:16:e1:
         34:60:44:53:62:1e:6d:f2:48:15:9a:5c:39:cd:1a:e3:45:b1:
         b0:f0:67:5a:5e:96:7b:26:fc:2c:88:82:e0:5e:d9:61:46:fe:
         ff:3d:b3:75:b9:17:8f:99:80:c0:5e:eb:8c:db:bf:d0:e7:35:
         38:45:e4:e7:90:42:2a:6d:ab:a0:0c:7f:2a:de:28:03:53:b5:
         2c:76:ee:c8:8f:b8:e9:ca:d2:79:d6:5c:25:e0:9c:0f:19:e6:
         34:a6:2e:47:37:69:54:65:12:27:2a:1a:67:79:5d:74:b5:77:
         a1:19:4c:d9:61:a7:d6:22:26:d5:a8:0f:6d:26:4a:8f:de:b0:
         28:ab:46:d9:1c:37:85:de:c2:df:9c:dc:e7:51:1d:77:9e:83:
         69:f1:d6:ed:42:e7:2f:b5:69:34:63:df:e9:14:05:04:25:0a:
         31:cf:51:ce

wget响应:

命令:wget https://10.x.x.253 --ca-certificate = / root / ssl / CertBundle.pem

[root@abc ssl]# wget https://10.x.x.253 --ca-certificate=/root/ssl/CertBundle.pem
--2020-04-17 13:59:15--  http://10.x.x.253/
Connecting to 10.x.x.253:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://10.x.x.253/ [following]
--2020-04-17 13:59:15--  https://10.x.x.253/
Connecting to 10.x.x.253:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://abc.def.xyz-net.net/auth/sso/midas@bangalore?path=%2F [following]
--2020-04-17 13:59:15--  https://abc.def.xyz-net.net/auth/sso/das@bangalore?path=%2F
Resolving abc.def.xyz-net.net (abc.def.xyz-net.net)... 10.154.11.42
Connecting to abc.def.xyz-net.net (abc.def.xyz-net.net)|10.154.11.42|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65185 (64K) [text/html]
Saving to: ‘index.html.3’

100%[===================================================================================================================>] 65,185       319KB/s   in 0.2s

但是,当我使用请求模块尝试相同的操作时,它失败了。它会忽略传递的验证选项。

版本:requests == 2.18.4

[root@abc ssl]# /usr/bin/python
Python 2.7.14 (default, Mar 15 2018, 17:42:04)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-18)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get('https://10.x.x.253/', verify='/root/ssl/CertBundle.pem')
/usr/lib/python2.7/site-packages/urllib3/connection.py:344: SubjectAltNameWarning: Certificate for 10.x.x.253 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 640, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 218, in resolve_redirects
    **adapter_kwargs
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 506, in send
    raise SSLError(e, request=request)
(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),))
>>>

如果有人能给我一些见解,我将不胜感激。我也尝试设置REQUESTS_CA_BUNDLE环境参数,但是还是没有运气。

0 个答案:

没有答案