curl --cacert vs python 请求验证
curl --cacert vs python requests verify
我正在尝试通过 https 连接到使用非官方 CA 的网站。由于某种原因,它适用于 curl 但不适用于 python 请求。
参见下面的示例
Python 3.8.0 (default, Oct 30 2019, 11:47:54)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.9.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]: import requests
In [2]: requests.__version__
Out[2]: '2.22.0'
In [3]: cert = "..."
In [4]: url = "..."
In [5]: !curl --cacert {cert} {url}
{"status":200}
In [6]: requests.get(url,verify=cert)
---------------------------------------------------------------------------
SSLCertVerificationError Traceback (most recent call last)
...
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)
During handling of the above exception, another exception occurred:
MaxRetryError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
During handling of the above exception, another exception occurred:
SSLError Traceback (most recent call last)
...
SSLError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
我做错了什么?为什么它的行为不同?
--编辑--
curl 肯定会使用这个证书,没有它 curl 会失败
In [9]: !curl {url}
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
...
In [10]:
... it's an intermediate CA
信任库中只有中间 CA 不足以验证证书,至少在 Python 的当前版本中是这样。此功能需要使用 OpenSSL 标志 X509_V_FLAG_PARTIAL_CHAIN 进行验证,默认情况下 neither currently exposed by Python 也未设置。
与新版本中的卷曲相反 sets this flag by default,因此有效。
我正在尝试通过 https 连接到使用非官方 CA 的网站。由于某种原因,它适用于 curl 但不适用于 python 请求。
参见下面的示例
Python 3.8.0 (default, Oct 30 2019, 11:47:54)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.9.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]: import requests
In [2]: requests.__version__
Out[2]: '2.22.0'
In [3]: cert = "..."
In [4]: url = "..."
In [5]: !curl --cacert {cert} {url}
{"status":200}
In [6]: requests.get(url,verify=cert)
---------------------------------------------------------------------------
SSLCertVerificationError Traceback (most recent call last)
...
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)
During handling of the above exception, another exception occurred:
MaxRetryError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
During handling of the above exception, another exception occurred:
SSLError Traceback (most recent call last)
...
SSLError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
我做错了什么?为什么它的行为不同?
--编辑--
curl 肯定会使用这个证书,没有它 curl 会失败
In [9]: !curl {url}
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
...
In [10]:
... it's an intermediate CA
信任库中只有中间 CA 不足以验证证书,至少在 Python 的当前版本中是这样。此功能需要使用 OpenSSL 标志 X509_V_FLAG_PARTIAL_CHAIN 进行验证,默认情况下 neither currently exposed by Python 也未设置。
与新版本中的卷曲相反 sets this flag by default,因此有效。