stackoom
  简体   繁体   中英

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

 原文  2020-08-25 02:42:38       python/ sockets/ ssl

Question

When I test crl revoke with python ssl and socket

When I try to use the python crl file to check whether the peer certificate is revoked, I consulted the official python documentation, but there was very little. My basic steps:

  1. Convert the .crl file to a .pem file.
  2. Invoke the python ssl.load_verify_location interface.
def tls_check(domain, port):
    addr = domain
    ctx = ssl.create_default_context()
    ctx.options &= ssl.CERT_REQUIRED
    ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
    ctx.check_hostname = False
    ctx.load_verify_locations(cafile="/home/linux/CloudBrahma_release/Utils/pre_crl.pem")
    sock = ctx.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM), server_hostname=addr)
    sock.connect((addr, port))
    print("TLS Ceritificate:")
    pprint.pprint(sock.getpeercert())
    print("TLS Version:", sock.version())
    print("TLS Cipher:", sock.cipher()[0])
    exit()
tls_check("xxxxx", 8080)

i got this error

Traceback (most recent call last):
  File "test.py", line 28, in <module>
    tls_check("100.94.2.17", 8443)
  File "test.py", line 21, in tls_check
    sock.connect((addr, port))
  File "/home/linux/py3env/lib/python3.7/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/home/linux/py3env/lib/python3.7/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/home/linux/py3env/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

1 answers

solution1
 0  2020-08-25 04:02:11

ctx.load_verify_locations(cafile="/home/linux/CloudBrahma_release/Utils/pre_crl.pem")

This is expecting a file with the trusted CA. If you give a file with CRL instead you essentially have no trusted CA. This means it will not be able to find the root CA for a certificate since you have no trusted root CA defined, resulting in

... certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

Instead the given cafile must include the trusted root CA and additionally the CRL if you want to check for CRL. But granted, this kind of API is strange and the documentation is not really helpful either.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ssl.SSLCertVerificationError: certificate verify failed: unable to get local issuer certificate (_ssl.c:1108) Python SSL error on discord.py: ssl.SSLCertVerificationError: certificate verify failed: unable to get local issuer certificate (_ssl.c:1056) urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056) SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')) ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:997) SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate)' SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108) Discord/python ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123) <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)> urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM