Python 请求抛出 SSL 错误 [英] Python requests throwing SSL errors

问题描述

这是SSLError using requests for python的后续:

我刚刚在 Mac OSX 10.8.5 上安装了 requests.我第一次尝试 requests.get 因缺少证书而失败:

SSLError: [Errno 1] _ssl.c:504: error:14090086:SSLroutines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

• 上面的线程说要查找 /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/re‌ quests/cacert.pem但实际上我什至没有 .../site-packages/requests 目录.我不清楚这是否应该由安装添加(我使用了 pip)

• 进一步的线程和requests 文档说要安装certifi，所以我做到了.但现在我得到一个不同的错误:

  python -c '导入请求；requests.get("https://api.github.com/events")'/usr/lib/anaconda/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90:InsecurePlatformWarning:真正的 SSLContext 对象不可用.这会阻止 urllib3 正确配置 SSL，并可能导致某些 SSL 连接失败.有关更多信息，请参阅 https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.不安全平台警告回溯(最近一次调用最后一次):...文件/usr/lib/anaconda/lib/python2.7/site-packages/requests/adapters.py"，第431行，发送引发 SSLError(e, request=request)requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:0D0890A1:asn1 编码例程:ASN1_verify: 未知的消息摘要算法

谢谢！

解决方案

请注意，您正在使用 HTTPS.如请求手册 中所述><块引用>

要检查主机的 SSL 证书，您可以使用 verify 参数 [...] 默认情况下，verify 设置为 True

以下是解决此问题的几种方法:

更新 OpenSSL(可能会解决您的问题)

取自此处:

<块引用>

如果您遇到以下错误之一:

error:0D0890A1:asn1 编码例程:ASN1_verify:未知的消息摘要算法错误:0D0C50A1:asn1 编码例程:ASN1_item_verify:未知消息摘要算法您正在使用的软件可能是使用太旧的 OpenSSL 版本编译的，该版本不考虑使用 sha256WithRSAEncryption 签名的证书.

它至少需要 OpenSSL 0.9.8o 才能对 SHA256 进行全面管理.OpenSSl 0.9.7m 只保证部分管理，对于服务器仅模式.

通过

检查您的openssl版本

openssl 版本OpenSSL 1.0.1k-fips 2015 年 1 月 8 日

如果您的版本小于 OpenSSL0.9.8o，则必须更新其版本 (OS X):

brew 更新酿造安装openssl酿造链接--force openssl

如果这不起作用，请尝试以下方法:

brew 卸载 opensslrm -rf/usr/local/openssl酿造安装openssl

• 在 OS X 10.10.3 之前安装的 openssl 存在问题，重新安装即可修复
• 这些命令行将卸载 openssl，从硬盘中删除其文件夹并重新安装(更新版本)

安装certifi

取自此处

<块引用>

默认情况下，Requests 捆绑了一组它信任的根 CA，来源来自 Mozilla 信托商店.但是，这些仅更新一次每个请求版本.这意味着如果您固定请求版本您的证书可能会变得非常过时.

从 Requests 2.4.0 版本开始，Requests 将尝试使用如果系统上存在 certifi 的证书.这允许让用户无需更新他们的信任证书更改在其系统上运行的代码.

为了安全起见，我们建议经常升级证书！

换句话说，如果您有 Request 2.4.0 或更新版本，请尝试安装 certifi:

pip 安装证书

希望这能解决问题.

使用不同版本的 OpenSSL 和请求

使用谷歌查看，我发现 Python 2 中的 OpenSSL 存在问题:

• https://github.com/docker/docker-py/问题/465#issuecomment-76520363
• https://github.com/Homebrew/homebrew/issues/38226
• https://github.com/docker/compose/issues/1484

但是，我正在使用 Python 2.7.6、Requests 2.2.1 和 OpenSSL 1.0.1f 2014 年 1 月 6 日 并且一切正常.

通过证书

在其他情况下，如果主机的证书是由您签署的，您可能需要告诉 requests.get 证书文件的路径.

requests.get("https://api.github.com/events", verify=True, cert=['/path/to/my/ca.crt'])

将验证参数设置为 False(不推荐！)

如果您想避免证书验证，您必须将 verify=False 传递给 request.get 方法.

python -c '导入请求；requests.get("https://api.github.com/events", verify=False)'

或来自 script.py 文件:

导入请求res = requests.get("https://api.github.com/events", verify=False)打印资源

终端:

$ python script.py<响应[200]>

重要:非常糟糕的主意；您可能会受到MITM 攻击，这是一个严重的安全漏洞.>

This is a followup to SSLError using requests for python:

I have just installed requests on a Mac OSX 10.8.5. My first attempt at doing requests.get failed on missing certificate:

SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

• The thread above says to look for /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/re‌​quests/cacert.pem but actually I don't even have a .../site-packages/requests directory. It's not clear to me if this should have been added by the installation (I used pip)

• Further threads and the requests docs say to install certifi, so I did. But now I get a different error:

  python -c 'import requests; requests.get("https://api.github.com/events")'    /usr/lib/anaconda/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
    InsecurePlatformWarning
  Traceback (most recent call last):
  ...
    File "/usr/lib/anaconda/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
      raise SSLError(e, request=request)
  requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
  

Thanks!

解决方案

Notice that you're using HTTPS. As mentioned in the Requests manual

To check a host’s SSL certificate, you can use the verify argument [...] By default, verify is set to True

Here are few ways to fix that:

Update OpenSSL (probably will solve your problem)

Taken from here:

If you encounter one of the following errors:

error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
The software you are using might be compiled with a version too old of OpenSSL that does not take certificates signed with sha256WithRSAEncryption into account.

It requires at least OpenSSL 0.9.8o for a total management of SHA256. OpenSSl 0.9.7m only assures a partial management, for server mode only.

Check your openssl version by

openssl version
OpenSSL 1.0.1k-fips 8 Jan 2015

If you have a smaller version than OpenSSL0.9.8o, you have to update its version (OS X):

brew update
brew install openssl
brew link --force openssl

If that doesn't work, try this way:

brew uninstall openssl
rm -rf /usr/local/openssl
brew install openssl

• there's an issue with openssl installed before OS X 10.10.3 and reinstalling it fixes it
• these command lines will uninstall openssl, remove its folder from your hard-disk and install it again (the updated version)

Install certifi

Taken from here

By default Requests bundles a set of root CAs that it trusts, sourced from the Mozilla trust store. However, these are only updated once for each Requests version. This means that if you pin a Requests version your certificates can become extremely out of date.

From Requests version 2.4.0 onwards, Requests will attempt to use certificates from certifi if it is present on the system. This allows for users to update their trusted certificates without having to change the code that runs on their system.

For the sake of security we recommend upgrading certifi frequently!

In other word, try to install certifi, if you have Request 2.4.0 or newer:

pip install certifi

Hopefully, this will fix the problem.

Use different version of OpenSSL and Requests

Looking into it using Google, I have found that there is a problem with OpenSSL in Python 2:

• https://github.com/docker/docker-py/issues/465#issuecomment-76520363
• https://github.com/Homebrew/homebrew/issues/38226
• https://github.com/docker/compose/issues/1484

However, I am using Python 2.7.6, Requests 2.2.1 and OpenSSL 1.0.1f 6 Jan 2014 and everything runs correctly.

Pass the certificate

In other cases, you may need to tell requests.get the path to the certificate file, if the host's certificate was signed by you.

requests.get("https://api.github.com/events", verify=True, cert=['/path/to/my/ca.crt'])

Set the verify argument to False (NOT RECOMMENDED!)

In case you want to avoid the certificate verification, you have to pass verify=False to the request.get method.

python -c 'import requests; requests.get("https://api.github.com/events", verify=False)'

or from script.py file:

import requests
res = requests.get("https://api.github.com/events", verify=False)
print res

terminal:

$ python script.py
<Response [200]>

Important: Very bad idea; You can be MITM attacked, which is a critical security vulnerability.

这篇关于Python 请求抛出 SSL 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！