curl --cacert vs python 请求验证

Question

我正在尝试通过 https 连接到使用非官方 CA 的网站。 出于某种原因，它适用于 curl 但不适用于 python 请求。

看下面的例子

Python 3.8.0 (default, Oct 30 2019, 11:47:54) 
Type 'copyright', 'credits' or 'license' for more information
IPython 7.9.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import requests 

In [2]: requests.__version__ 
Out[2]: '2.22.0'

In [3]: cert = "..." 

In [4]: url = "..." 

In [5]: !curl --cacert {cert} {url} 
{"status":200}

In [6]: requests.get(url,verify=cert) 
---------------------------------------------------------------------------
SSLCertVerificationError Traceback (most recent call last)
...
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)

During handling of the above exception, another exception occurred:

MaxRetryError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))

During handling of the above exception, another exception occurred:

SSLError Traceback (most recent call last)
...

SSLError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))

我究竟做错了什么？ 为什么它的行为不同？

- 编辑 -

curl 肯定会使用这个证书，没有它 curl 会失败

In [9]: !curl {url}                                                                                                                                                                                                
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

...

In [10]:    

Answer 1

...这是一个中间 CA

在信任存储中只有中间 CA 不足以验证证书，至少对于当前版本的 Python 来说是不够的。 此功能需要使用 OpenSSL 标志X509_V_FLAG_PARTIAL_CHAIN进行验证，目前 Python 既不公开也不默认设置。

与此相反，curl 在较新版本中默认设置此标志，因此有效。