发表新帖
发表新帖

Python Requests throwing SSLError

前端 未结
关注
24 2975
小蘑菇
小蘑菇 2020-11-22 02:49

I\'m working on a simple script that involves CAS, jspring security check, redirection, etc. I would like to use Kenneth Reitz\'s python requests because it\'s a great piec

24条回答
  • 轮回少年
    轮回少年 (楼主)
    2020-11-22 03:25

    This is similar to @rafael-almeida 's answer, but I want to point out that as of requests 2.11+, there are not 3 values that verify can take, there are actually 4:

    • True: validates against requests's internal trusted CAs.
    • False: bypasses certificate validation completely. (Not recommended)
    • Path to a CA_BUNDLE file. requests will use this to validate the server's certificates.
    • Path to a directory containing public certificate files. requests will use this to validate the server's certificates.

    The rest of my answer is about #4, how to use a directory containing certificates to validate:

    Obtain the public certificates needed and place them in a directory.

    Strictly speaking, you probably "should" use an out-of-band method of obtaining the certificates, but you could also just download them using any browser.

    If the server uses a certificate chain, be sure to obtain every single certificate in the chain.

    According to the requests documentation, the directory containing the certificates must first be processed with the "rehash" utility (openssl rehash).

    (This requires openssl 1.1.1+, and not all Windows openssl implementations support rehash. If openssl rehash won't work for you, you could try running the rehash ruby script at https://github.com/ruby/openssl/blob/master/sample/c_rehash.rb , though I haven't tried this. )

    I had some trouble with getting requests to recognize my certificates, but after I used the openssl x509 -outform PEM command to convert the certs to Base64 .pem format, everything worked perfectly.

    You can also just do lazy rehashing:

    try:
    # As long as the certificates in the certs directory are in the OS's certificate store, `verify=True` is fine.
    return requests.get(url, auth=auth, verify=True)
except requests.exceptions.SSLError:
    subprocess.run(f"openssl rehash -compat -v my_certs_dir", shell=True, check=True)
    return requests.get(url, auth=auth, verify="my_certs_dir")

    0 讨论(0)
 看不清?
提交回复
热议问题