尽管有最新的依赖关系，但 Python 请求出现 SSL 错误 [英] SSL error with Python requests despite up-to-date dependencies

问题描述

我收到 SSL握手错误"错误.对此问题的大多数类似响应似乎源于旧库，1024 位证书.不兼容等......我认为我是最新的，但不知道为什么我会收到这个错误.

I am getting an SSL "bad handshake" error. Most similar responses to this problem seem to stem from old libraries, 1024bit cert. incompatibility, etc... I think i'm up to date, and can't figure out why i'm getting this error.

设置:

• 请求 2.13.0
• 证书 2017.01.23
• 'OpenSSL 1.0.2g 2016 年 3 月 1 日'

我正在使用此 API(2048 位证书密钥):https://api.sidecar.io/rest/v1/provision/application/device/count/

I'm hitting this API (2048bit certificate key): https://api.sidecar.io/rest/v1/provision/application/device/count/

并收到此错误:requests.exceptions.SSLError: ("握手错误:错误([('SSL 例程', 'ssl3_get_server_certificate', '证书验证失败')],)",)

见https://github的l.44.com/sidecar-io/sidecar-python-sdk/blob/master/sidecar.py

如果我在请求中设置 verify=False，我可以绕过，但我宁愿找出认证失败的原因.

If I turn verify=False in requests, I can bypass, but i'd rather figure out why the certification is failing.

非常感谢任何帮助；谢谢！

Any help is greatly appreciated; thanks!

推荐答案

验证失败是因为您访问的服务器设置不正确，即这不是您的设置或代码的错误.查看来自 SSLLabs 的 报告 你看到了

The validation fails because the server you access is setup improperly, i.e. it is not a fault of your setup or code. Looking at the report from SSLLabs you see

此服务器的证书链不完整.等级上限为 B.

This server's certificate chain is incomplete. Grade capped to B.

这意味着服务器将缺少中间证书的证书链发送到受信任的根，因此您的客户端无法构建信任链.大多数桌面浏览器通过尝试从其他地方获取丢失的证书来解决此问题，但在这种情况下普通 TLS 库将失败.您需要将丢失的链证书明确添加为受信任才能解决此问题:

This means that the server sends a certificate chain which is missing an intermediate certificate to the trusted root and thus your client can not build the trust chain. Most desktop browsers work around this problem by trying to get the missing certificate from somewhere else but normal TLS libraries will fail in this case. You would need to explicitly add the missing chain certificate as trusted to work around this problem:

import requests
requests.get('https://api.sidecar.io', verify = 'mycerts.pem')

mycerts.pem 应包含缺少的中间证书和受信任的根证书.mycerts.pem 的测试版本可以在 http://pastebin.com/aZSKfyb7.

mycerts.pem should contain the missing intermediate certificate and the trusted root certificate. A tested version for mycerts.pem can be found in http://pastebin.com/aZSKfyb7.

这篇关于尽管有最新的依赖关系，但 Python 请求出现 SSL 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！