[英]curl --cacert vs python requests verify
我正在嘗試通過 https 連接到使用非官方 CA 的網站。 出於某種原因,它適用於 curl 但不適用於 python 請求。
看下面的例子
Python 3.8.0 (default, Oct 30 2019, 11:47:54)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.9.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]: import requests
In [2]: requests.__version__
Out[2]: '2.22.0'
In [3]: cert = "..."
In [4]: url = "..."
In [5]: !curl --cacert {cert} {url}
{"status":200}
In [6]: requests.get(url,verify=cert)
---------------------------------------------------------------------------
SSLCertVerificationError Traceback (most recent call last)
...
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)
During handling of the above exception, another exception occurred:
MaxRetryError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
During handling of the above exception, another exception occurred:
SSLError Traceback (most recent call last)
...
SSLError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
我究竟做錯了什么? 為什么它的行為不同?
- 編輯 -
curl 肯定會使用這個證書,沒有它 curl 會失敗
In [9]: !curl {url}
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
...
In [10]:
...這是一個中間 CA
在信任存儲中只有中間 CA 不足以驗證證書,至少對於當前版本的 Python 來說是不夠的。 此功能需要使用 OpenSSL 標志X509_V_FLAG_PARTIAL_CHAIN
進行驗證,目前 Python 既不公開也不默認設置。
與此相反,curl 在較新版本中默認設置此標志,因此有效。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.