Comments (30)
there are some patches/workarounds: http://stackoverflow.com/questions/1875052/using-paired-certificates-with-urllib2
from requests.
Maybe we could have an empty list of PEMs as the default, and then just some methods like:
verisign_pem = """-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
"""
requests.add_ca(verisign_pem)
It also probably wouldn't be too hard to keep a small list of acceptable PEMs on file, and then do
requests.accept_ca(["verisign", "geotrust"]) and pull them from an internal dict.
Just some ideas to get the ball rolling.
from requests.
I'm thinking of having a default list of PEMs that the major browsers use and accept. The list can be extended/modified via requests.settings.certs
. By default, everything will behave as it does now.
Response.raise_for_cert()
will raise an exception if the cert isn't accepted. I'm thinking an optional custom PEM argument could be passed into raise_for_cert()
in the case that there's a private cert shared between the server and the client.
Will this suit everyone's needs?
from requests.
Yes, that would be perfect.
On Tue, May 24, 2011 at 7:42 PM, kennethreitz <
[email protected]>wrote:
I'm thinking of having a default list of PEMs that the major browsers use
and accept. The list can be extended/modified viarequests.settings.certs
.
By default, everything will behave as it does now.
Response.raise_for_cert()
will raise an exception if the cert isn't
accepted. I'm thinking an optional custom PEM could be passed into
raise_for_cert()
in the case that there's a private cert shared between
the server and the client.Will this suit everyone's needs?
Reply to this email directly or view it on GitHub:
https://github.com/kennethreitz/requests/issues/30#comment_1232227
from requests.
Please can you make sure the default option is to use modssl's list of accepted certificates?
The trend in python request libraries to have to specify all the accepted certs rather than using the "system standards" is pretty annoying. If I have my own CA, I just want to install the certificate in /etc/ssl/certs/ rather than having to pass it in every piece of python client software I write ;-)
from requests.
The standard ssl module has something to help here, but only for Python 3.2+: http://docs.python.org/dev/library/ssl#ssl.SSLContext.set_default_verify_paths
from requests.
The more I think about this, the more I think it's a bad idea.
If you look at httplib2, almost all of its issues are ssl-related.
I'm not ruling it out yet, but maybe it's a bit out of scope for requests itself. There could easily be a requests-ssl
package that uses the hooks system to force checks and such.
Like I said, I'm just thinking out loud at this point.
from requests.
I wouldn't mind this as an external library, I just think it needs to exist in one form or another. I wouldn't mind you closing this with a "#wontfix" for being out of scope.
from requests.
eldarion/braintree_python@634f1f3#comments
from requests.
http://pypi.python.org/pypi/backports.ssl_match_hostname/
from requests.
http://whatschrisdoing.com/blog/2011/10/30/making-https-requests-secure-in-python/
from requests.
Definitely want to add this in, but it will certainly be considered experimental for a while.
from requests.
In the meantime, is there a reasonable way to implement this in requests manually? I have a requirement that might force me to drop the whole library, i would hate that - and it would be a ton of work.
(and thanks for the response, very glad to know it is coming! :)
from requests.
@JCWDev see eldarion/braintree_python@634f1f3#comments.
I honestly don't think it will take much effort. I'll accept a working pull requests that fits this workflow as soon as it happens :)
from requests.
Perhaps I'm just tired, but reading the code linked above it appears to be validating the server certificate, but perhaps it is validating the server cert and host name against the client cert?
I am just looking for a way to pass a client cert along with my request so that the receiving server can use it for identity check.
Hopefully I'm making sense :)
eg.
http://www.osmonov.com/2009/04/client-certificates-with-urllib2.html
from requests.
I don't think the Response.raise_for_cert()
idea will work, since by the time the Response
has been returned to the caller, the HTTP headers will already have been sent (and if it's a MITM attack, that leaks information).
from requests.
from requests.
This just landed in urllib3.
from requests.
I'm planning on bundling a CA bundle. Unfortunately, Mozilla's is GPL.
from requests.
Requests v0.8.8 was just released that includes ssl verification!
http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification
from requests.
v0.9.0 adds this by default. Enjoy.
✨ 🍰 ✨
from requests.
<3
from requests.
Awesome, thanks!
from requests.
Is there a way to provide client certificate (key file + cert file) for authorization purposes?
from requests.
@wlz you can provide any CA Bundle.
from requests.
@kennethreitz that is to check server cert against a CA bundle or i'm missing something?
I've found traces of key/cert pair in packages, but not a mention of this in requests itself. Looks like there's some non-obvious way to actually pass client stuff to server as an auth token.
from requests.
How can I unsubscribe from this issue?!
from requests.
@cjw296: this pretty link: http://cl.ly/2U003k373O1L0b400y08
from requests.
thanks :-)
from requests.
There, i fixed it™: https://gist.github.com/1710121
from requests.
Related Issues (20)
- Not supported URL scheme http+docker KOLLA ANSIBLE HOT 1
- SSLV3_ALERT_HANDSHAKE_FAILURE after upgrade from 2.31.0 to 2.32.2 HOT 20
- SSLCertVerificationError - unable to get local issuer certificate HOT 5
- ERROR - Cannot set verify_mode to CERT_NONE when check_hostname is enabled HOT 1
- Enhance Error Messaging for Connection Failures
- Different default values for "allow_redirects" for HEAD http method HOT 4
- Multiple concurrent client certs broken with v2.32.3 HOT 4
- ssl certificate validation of requests was ignored but the ssl certificate still reported an error HOT 1
- ssl certificate validation of requests was ignored but the ssl certificate still reported an error HOT 2
- Certificate loading regression with HTTPAdapters in 2.32.3
- Deprecated `HTTPAdapter.get_connection()` method is never called, causing breakage without deprecation warnings HOT 2
- requests 2.32.3 & urllib3 1.26.18 issue with unicode put HOT 4
- requests 2.32.3 with IPv6 link local address fails with error: [Errno -2] Name or service not known
- 2.32.3 does not load system CA certificates when using an Adapter HOT 2
- GET请求,我希望传递% 但是requests会默认帮我编码为%25,如何解决? HOT 1
- requests.utils. atomic_open does not respect umask HOT 1
- Feature Request: `safe_json()` Method for Requests Library HOT 1
- auth headers lost when requests process redirected requests HOT 1
- inconsistent handling of verify and REQUESTS_CA_BUNDLE HOT 1
- requests library seems to ignore "Transfer-Encoding" header HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from requests.