解决 "ssl certificate verify failed" 错误
Troubleshooting "ssl certificate verify failed" error
在 Windows Vista SP2 + Python 2.7.10 我可以连接到 https://www.python.org, but not to https://codereview.appspot.com
脚本:
HOST1 = 'https://www.python.org'
HOST2 = 'https://codereview.appspot.com'
import urllib2
print HOST1
urllib2.urlopen(HOST1)
print HOST2
urllib2.urlopen(HOST2)
并且输出:
E:\>py test.py
https://www.python.org
https://codereview.appspot.com
Traceback (most recent call last):
File "test.py", line 9, in <module>
urllib2.urlopen(HOST2)
File "C:\Python27\lib\urllib2.py", line 158, in urlopen
return opener.open(url, data, timeout)
File "C:\Python27\lib\urllib2.py", line 435, in open
response = self._open(req, data)
File "C:\Python27\lib\urllib2.py", line 453, in _open
'_open', req)
File "C:\Python27\lib\urllib2.py", line 413, in _call_chain
result = func(*args)
File "C:\Python27\lib\urllib2.py", line 1244, in https_open
context=self._context)
File "C:\Python27\lib\urllib2.py", line 1201, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
我该如何排除故障,https://codereview.appspot.com/ 到底出了什么问题?
我的猜测是它与 OpenSSL 中的替代链处理有关,如 中所述。尽管 Python 使用 windows CA 存储来获取受信任的根证书,但信任链本身的验证是在 OpenSSL 中完成的。
根据 "Python 2.7.10 Released" Python Windows 上的 2.7.10 包括 OpenSSL 1.0.2a 但有关替代链的修复仅在 1.0.2b 中完成(并且必须修复之后很快,因为它们包含严重的安全漏洞)。
如果您查看 SSLLabs report for codereview.appspot.com you can see that there are multiple trust chains which probably causes the problem. Contrary to that python.org 只有一个信任链。
要解决此问题,可能需要使用您自己的根 CA 存储,其中必须包含“/C=US/O=Equifax/OU=Equifax Secure Certificate Authority”的证书以验证codereview.appspot.com 正确。证书可以在here and you can give it with the cafile parameter到urllib2.urlopen.
找到
在 Windows Vista SP2 + Python 2.7.10 我可以连接到 https://www.python.org, but not to https://codereview.appspot.com
脚本:
HOST1 = 'https://www.python.org'
HOST2 = 'https://codereview.appspot.com'
import urllib2
print HOST1
urllib2.urlopen(HOST1)
print HOST2
urllib2.urlopen(HOST2)
并且输出:
E:\>py test.py
https://www.python.org
https://codereview.appspot.com
Traceback (most recent call last):
File "test.py", line 9, in <module>
urllib2.urlopen(HOST2)
File "C:\Python27\lib\urllib2.py", line 158, in urlopen
return opener.open(url, data, timeout)
File "C:\Python27\lib\urllib2.py", line 435, in open
response = self._open(req, data)
File "C:\Python27\lib\urllib2.py", line 453, in _open
'_open', req)
File "C:\Python27\lib\urllib2.py", line 413, in _call_chain
result = func(*args)
File "C:\Python27\lib\urllib2.py", line 1244, in https_open
context=self._context)
File "C:\Python27\lib\urllib2.py", line 1201, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
我该如何排除故障,https://codereview.appspot.com/ 到底出了什么问题?
我的猜测是它与 OpenSSL 中的替代链处理有关,如
根据 "Python 2.7.10 Released" Python Windows 上的 2.7.10 包括 OpenSSL 1.0.2a 但有关替代链的修复仅在 1.0.2b 中完成(并且必须修复之后很快,因为它们包含严重的安全漏洞)。
如果您查看 SSLLabs report for codereview.appspot.com you can see that there are multiple trust chains which probably causes the problem. Contrary to that python.org 只有一个信任链。
要解决此问题,可能需要使用您自己的根 CA 存储,其中必须包含“/C=US/O=Equifax/OU=Equifax Secure Certificate Authority”的证书以验证codereview.appspot.com 正确。证书可以在here and you can give it with the cafile parameter到urllib2.urlopen.