禁用 Python 请求对导入的模块进行 SSL 验证 [英] Disable Python requests SSL validation for an imported module

问题描述

我正在运行一个 Python 脚本，该脚本使用 requests 包来发出 Web 请求.但是，Web 请求通过带有自签名证书的代理.因此，请求会引发以下异常:

I'm running a Python script that uses the requests package for making web requests. However, the web requests go through a proxy with a self-signed cert. As such, requests raise the following Exception:

requests.exceptions.SSLError: ("bad handshake: Error([('SSLroutines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)

我知道可以通过传递 verify=False 在我自己的代码中禁用 SSL 验证，例如:requests.get("https://www.google.com", verify=假).我也知道如果我有证书包，我可以设置 REQUESTS_CA_BUNDLE 或 CURL_CA_BUNDLE 环境变量来指向这些文件.但是，我没有可用的证书包.

I know that SSL validation can be disabled in my own code by passing verify=False, e.g.: requests.get("https://www.google.com", verify=False). I also know that if I had the certificate bundle, I could set the REQUESTS_CA_BUNDLE or CURL_CA_BUNDLE environment variables to point to those files. However, I do not have the certificate bundle available.

如何在不编辑代码的情况下禁用外部模块的 SSL 验证?

How can I disable SSL validation for external modules without editing their code?

推荐答案

注意:此解决方案是一个完整的解决方案.

Note: This solution is a complete hack.

简短回答:将 CURL_CA_BUNDLE 环境变量设置为空字符串.

Short answer: Set the CURL_CA_BUNDLE environment variable to an empty string.

之前:

$ python
import requests
requests.get('http://www.google.com')
<Response [200]>

requests.get('https://www.google.com')
...
File "/usr/local/lib/python2.7/site-packages/requests-2.17.3-py2.7.egg/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)

之后:

$ CURL_CA_BUNDLE="" python
import requests
requests.get('http://www.google.com')
<Response [200]>

requests.get('https://www.google.com')
/usr/local/lib/python2.7/site-packages/urllib3-1.21.1-py2.7.egg/urllib3/connectionpool.py:852: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)
<Response [200]>

工作原理

此解决方案有效，因为 Python requests 覆盖了环境变量 CURL_CA_BUNDLE 和 REQUESTS_CA_BUNDLE 中 verify 的默认值，如此处所示:

This solution works because Python requests overwrites the default value for verify from the environment variables CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE, as can be seen here:

if verify is True or verify is None:
verify = (os.environ.get('REQUESTS_CA_BUNDLE') or
    os.environ.get('CURL_CA_BUNDLE'))

环境变量旨在指定证书文件或 CA_BUNDLE 的路径，并复制到 verify 中.但是，通过将 CURL_CA_BUNDLE 设置为空字符串，空字符串被复制到 verify 中，而在 Python 中，空字符串的计算结果为 False.

The environment variables are meant to specify the path to the certificate file or CA_BUNDLE and are copied into verify. However, by setting CURL_CA_BUNDLE to an empty string, the empty string is copied into verify and in Python, an empty string evaluates to False.

请注意，此 hack 仅适用于 CURL_CA_BUNDLE 环境变量 - 它不适用于 REQUESTS_CA_BUNDLE.这是因为 verify 设置为以下声明:

Note that this hack only works with the CURL_CA_BUNDLE environment variable - it does not work with the REQUESTS_CA_BUNDLE. This is because verify is set with the following statement:

verify = (os.environ.get('REQUESTS_CA_BUNDLE') 或 os.environ.get('CURL_CA_BUNDLE'))

它只适用于 CURL_CA_BUNDLE 因为 '' or None 与 None or '' 不同，如下所示:

It only works with CURL_CA_BUNDLE because '' or None is not the same as None or '', as can be seen below:

print repr(None or "")
# Prints: ''
print repr("" or None )
# Prints: None

这篇关于禁用 Python 请求对导入的模块进行 SSL 验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！