Python 请求获取 SSL 错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/28667684/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Python Requests getting SSLerror
提问by Captain_Meow_Meow
Trying to make a simple get request using Requests session but I keep getting SSLerror for a specific site. I think maybe the problem is with the site (I did a scan using https://www.ssllabs.com, results are down bellow), but I cant be sure because I have no knowledge in this area :) I would sure like to understand what is going on.
尝试使用请求会话发出简单的获取请求,但我不断收到特定站点的 SSLerror。我想问题可能出在网站上(我使用https://www.ssllabs.com进行了扫描,结果如下),但我不能确定,因为我对这方面一无所知:) 我肯定会喜欢了解正在发生的事情。
A solution/explanation would be great, thanks!
一个解决方案/解释会很棒,谢谢!
The code:
编码:
import requests
requests.get('https://www.reporo.com/')
I'm getting the next error:
我收到下一个错误:
SSLError: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
---------------------------------------------------------------------------
SSLError Traceback (most recent call last)
<ipython-input-7-cfc21b287fee> in <module>()
----> 1 requests.get('https://www.reporo.com/')
/usr/local/lib/python2.7/dist-packages/requests/api.pyc in get(url, **kwargs)
63
64 kwargs.setdefault('allow_redirects', True)
---> 65 return request('get', url, **kwargs)
66
67
/usr/local/lib/python2.7/dist-packages/requests/api.pyc in request(method, url, **kwargs)
47
48 session = sessions.Session()
---> 49 response = session.request(method=method, url=url, **kwargs)
50 # By explicitly closing the session, we avoid leaving sockets open which
51 # can trigger a ResourceWarning in some cases, and look like a memory leak
/usr/local/lib/python2.7/dist-packages/requests/sessions.pyc in request(self, method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)
459 }
460 send_kwargs.update(settings)
--> 461 resp = self.send(prep, **send_kwargs)
462
463 return resp
/usr/local/lib/python2.7/dist-packages/requests/sessions.pyc in send(self, request, **kwargs)
571
572 # Send the request
--> 573 r = adapter.send(request, **kwargs)
574
575 # Total elapsed time of the request (approximately)
/usr/local/lib/python2.7/dist-packages/requests/adapters.pyc in send(self, request, stream, timeout, verify, cert, proxies)
429 except (_SSLError, _HTTPError) as e:
430 if isinstance(e, _SSLError):
--> 431 raise SSLError(e, request=request)
432 elif isinstance(e, ReadTimeoutError):
433 raise ReadTimeout(e, request=request)
SSLError: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
I ran a scan at https://www.ssllabs.comand got the following:
我在https://www.ssllabs.com 上进行了扫描,得到以下信息:
SSL Report: reporo.com
Assessed on: Sun Feb 22 21:42:57 PST 2015 | Clear cache Scan Another >>
Server Domain(s) Test time Grade
1 154.51.128.13
Certificate not valid for domain name
reporo.com
Sun Feb 22 21:40:53 PST 2015
Duration: 9.167 sec -
2 198.12.15.168
protected.ddosdefend.com
Ready
www.reporo.com
Sun Feb 22 21:41:02 PST 2015
Duration: 115.189 sec
F
采纳答案by Steffen Ullrich
The certificate itself for www.reporo.com (not reporo.com) is valid, but it is missing a chain certificate as shown in the report by ssllabs:
www.reporo.com(不是 reporo.com)的证书本身是有效的,但它缺少链证书,如ssllabs的报告所示:
Chain issues Incomplete
....
2 Extra download Thawte DV SSL CA
Fingerprint: 3ca958f3e7d6837e1c1acf8b0f6a2e6d487d6762
The "Incomplete" and "Extra download" are the major points. Some browsers will have the missing chain certificate cached, others will do the download and other will fail. If you try the site with a fresh Firefox profile (which does not have any certificates cached) it will fail too.
“不完整”和“额外下载”是重点。一些浏览器会缓存丢失的链证书,其他浏览器会下载,而其他浏览器会失败。如果您使用新的 Firefox 配置文件(没有缓存任何证书)尝试该站点,它也会失败。
You could download the missing chain certificates and use it as trusted CA certificate with the verifyparameter for requests. Don't just disable validation because then you are open to man-in-the-middle attacks.
您可以下载缺少的链证书并将其用作受信任的 CA 证书,并带有verify请求参数。不要只是禁用验证,因为那样你很容易受到中间人攻击。
Step by step instruction:
分步说明:
- Download the missing certificate at https://ssl-tools.net/certificates/vqgvhb-thawte-dv-ssl-ca(found by searching for the fingerprint given in the report from SSLLabs). Download the file in PEM format, i.e. https://ssl-tools.net/certificates/3ca958f3e7d6837e1c1acf8b0f6a2e6d487d6762.pem.
- Download the root certificate at https://ssl-tools.net/certificates/91c6d6ee3e8ac86384e548c299295c756c817b81.pem(also found by searching for fingerprint).
- Cat both files together into a new file
chain.pem. Make sure that each of the files did end with a valid end of line character (which they do not as downloaded). The resulting file should look like this. Modify your call to
requests.get('https://www.reporo.com/', verify = 'chain.pem')
- 在https://ssl-tools.net/certificates/vqgvhb-thawte-dv-ssl-ca下载丢失的证书(通过搜索 SSLLabs 报告中给出的指纹找到)。下载 PEM 格式的文件,即https://ssl-tools.net/certificates/3ca958f3e7d6837e1c1acf8b0f6a2e6d487d6762.pem。
- 在https://ssl-tools.net/certificates/91c6d6ee3e8ac86384e548c299295c756c817b81.pem(也可以通过搜索指纹找到)下载根证书。
- 将两个文件合并到一个新文件中
chain.pem。确保每个文件都以有效的行尾字符结尾(它们不像下载的那样)。生成的文件应如下所示。 修改您的电话
requests.get('https://www.reporo.com/', verify = 'chain.pem')
回答by Colin
You can disable certificate verification:
您可以禁用证书验证:
requests.get('https://www.reporo.com/', verify=False)
but without certificate verification there is no man-in-the-middle attackprotection.
但是没有证书验证就没有中间人攻击保护。
回答by Aleksei Denisov
I had the same error. Downgrading requests from requests-2.17.3 to requests-2.11.0 solved it for me.
我有同样的错误。将请求从 requests-2.17.3 降级到 requests-2.11.0 为我解决了这个问题。
pip uninstall requests
pip install requests==2.11.0
回答by Deqing
Ran into similar issue and fixed by following:
遇到类似问题并通过以下方式修复:
pip install -U requests[security]
