Python请求SSL主机名不匹配错误 [英] Python requests SSL Hostname doesn't match error

问题描述

我一直在尝试使用如下所示的python请求库访问使用SSL保护的API

I have been trying to access an API which is secured using SSL using python requests library as given below

requests.get('https://path/to/url',cert=('cert.pem','key.pem'),verify='ca.pem')

但出现错误

File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send
raise SSLError(e)
requests.exceptions.SSLError: hostname '10.10.10.10' doesn't match u'*' # IP address is not real.

如果我的理解是正确的，则该证书可以与任何服务器一起使用，因为它们都以 *签名作为域。

If my understanding is right this certificates can be used with any server since they are signed with '*' as domain.

我想请求库正在严格匹配主机名验证，而不是正则表达式匹配。

I guess the requests library is making a strict match of hostname verification instead of regular expression matching.

所以我的问题是这是请求库中的错误还是以这种方式缩进工作？

so my question is whether it is a bug with requests library or is this the way it is indented to work?

当我使用curl命令时，它工作得很好

It is working perfectly fine when I use curl command as given below.

curl https://path/to/url  --cert cert.pem  --key key.pem --cacert ca.pem

所以我有两种可能性，要么curl库未执行主机名验证，要么他们正在使用正则表达式。

So i have two possibilities, either curl library is not performing hostname verification or they are doing it with regular expression.

我在哪里错了？期望得到详细的答案

Where am i going wrong here? Expecting a detailed answer

推荐答案

通配符如何匹配在 RFC 2818 ，在 RFC 6125 ，并且 CAB基线要求中也有信息。最后，浏览器实现以下功能：

How wildcards are matched is described in RFC 2818, more precisely stated in RFC 6125 and there are also information in the CAB baseline requirements. At the end the browsers implement the following:

• 只有最左边的标签可以有一个通配符，而一个通配符只能匹配一个标签。不可能使用 * ， *。*。example.com 等通配符。 *。example.com 也会匹配 www.example.com ，但不匹配 sub.www。 example.com 或 example.com 。


• 此外，根据公钥后缀有一些限制，例如，没有浏览器允许 *。com 使用通配符，有些浏览器不允许 *。co.uk 使用通配符。


• 在证书中可以使用通配符有一些限制。主题备用名称部分中所有支持通配符，但并非全部都允许使用通配符。


• 除了通配符仅用于主机名。这意味着不允许将IP地址与通配符条目进行匹配。要将IP地址包含在证书中，您必须使用iPAdress作为主题备用名称（除IE之外的所有浏览器）或dNSName（除IE之外的所有浏览器），或者IP地址必须位于CN中（除Safari之外的所有浏览器）。 / li>
  

• Only the leftmost label can have a wildcard and a wildcard matches only a single label. That is no wildcards like *, *.*.example.com etc are possible. Also *.example.com matches www.example.com but not sub.www.example.com or example.com.
• Additionally there are restrictions depending on the public key suffix, i.e no browsers allow wildcards for *.com, some don't allow wildcards for *.co.uk to.
• And there are restriction where the wildcard can be in the certificate. All support wildcards in the subject alternative name section, but not all allow wildcards in the common name.
• Apart from that wildcards are only for hostnames. This means IP addresses are not allowed to be matched against a wildcard entry. To have an IP address included into a certificate you must use an iPAdress as subject alternative name (all browsers except IE) or a dNSName (no browsers except IE) or the IP address must be in the CN (all browsers except Safari).

过去，像python这样的几种语言根本没有对主机名进行任何检查，但是使用2.7.9 python时，也可以通过以下方式检查主机名

Several languages like python did not do any checks against the hostname at all in the past but with 2.7.9 python also checks the hostname by default and has an implementation which is mostly compatible to what the browsers do.

至于curl：取决于curl的版本。 7.36应该可以，但较早的版本在验证中存在存在缺陷。

As for curl: it depends on the version of curl you use. 7.36 should be ok but older versions have flaws in the validation.

这篇关于Python请求SSL主机名不匹配错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！