Comments (30)
kennethreitz
commented on June 16, 2024
there are some patches/workarounds: http://stackoverflow.com/questions/1875052/using-paired-certificates-with-urllib2
from requests.
issackelly
commented on June 16, 2024
Maybe we could have an empty list of PEMs as the default, and then just some methods like:
verisign_pem = """-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
"""
requests.add_ca(verisign_pem)
It also probably wouldn't be too hard to keep a small list of acceptable PEMs on file, and then do
requests.accept_ca(["verisign", "geotrust"]) and pull them from an internal dict.
Just some ideas to get the ball rolling.
from requests.
kennethreitz
commented on June 16, 2024
I'm thinking of having a default list of PEMs that the major browsers use and accept. The list can be extended/modified via requests.settings.certs. By default, everything will behave as it does now.
Response.raise_for_cert() will raise an exception if the cert isn't accepted. I'm thinking an optional custom PEM argument could be passed into raise_for_cert() in the case that there's a private cert shared between the server and the client.
Will this suit everyone's needs?
from requests.
issackelly
commented on June 16, 2024
Yes, that would be perfect.
On Tue, May 24, 2011 at 7:42 PM, kennethreitz <
[email protected]>wrote:
I'm thinking of having a default list of PEMs that the major browsers use
and accept. The list can be extended/modified viarequests.settings.certs.
By default, everything will behave as it does now.
Response.raise_for_cert()will raise an exception if the cert isn't
accepted. I'm thinking an optional custom PEM could be passed into
raise_for_cert()in the case that there's a private cert shared between
the server and the client.Will this suit everyone's needs?
Reply to this email directly or view it on GitHub:
https://github.com/kennethreitz/requests/issues/30#comment_1232227
from requests.
cjw296
commented on June 16, 2024
Please can you make sure the default option is to use modssl's list of accepted certificates?
The trend in python request libraries to have to specify all the accepted certs rather than using the "system standards" is pretty annoying. If I have my own CA, I just want to install the certificate in /etc/ssl/certs/ rather than having to pass it in every piece of python client software I write ;-)
from requests.
merwok
commented on June 16, 2024
The standard ssl module has something to help here, but only for Python 3.2+: http://docs.python.org/dev/library/ssl#ssl.SSLContext.set_default_verify_paths
from requests.
kennethreitz
commented on June 16, 2024
The more I think about this, the more I think it's a bad idea.
If you look at httplib2, almost all of its issues are ssl-related.
I'm not ruling it out yet, but maybe it's a bit out of scope for requests itself. There could easily be a requests-ssl package that uses the hooks system to force checks and such.
Like I said, I'm just thinking out loud at this point.
from requests.
issackelly
commented on June 16, 2024
I wouldn't mind this as an external library, I just think it needs to exist in one form or another. I wouldn't mind you closing this with a "#wontfix" for being out of scope.
from requests.
kennethreitz
commented on June 16, 2024
eldarion/braintree_python@634f1f3#comments
from requests.
kennethreitz
commented on June 16, 2024
http://pypi.python.org/pypi/backports.ssl_match_hostname/
from requests.
kennethreitz
commented on June 16, 2024
http://whatschrisdoing.com/blog/2011/10/30/making-https-requests-secure-in-python/
from requests.
kennethreitz
commented on June 16, 2024
Definitely want to add this in, but it will certainly be considered experimental for a while.
from requests.
johncwheeler
commented on June 16, 2024
In the meantime, is there a reasonable way to implement this in requests manually? I have a requirement that might force me to drop the whole library, i would hate that - and it would be a ton of work.
(and thanks for the response, very glad to know it is coming! :)
from requests.
kennethreitz
commented on June 16, 2024
@JCWDev see eldarion/braintree_python@634f1f3#comments.
I honestly don't think it will take much effort. I'll accept a working pull requests that fits this workflow as soon as it happens :)
from requests.
johncwheeler
commented on June 16, 2024
Perhaps I'm just tired, but reading the code linked above it appears to be validating the server certificate, but perhaps it is validating the server cert and host name against the client cert?
I am just looking for a way to pass a client cert along with my request so that the receiving server can use it for identity check.
Hopefully I'm making sense :)
eg.
http://www.osmonov.com/2009/04/client-certificates-with-urllib2.html
from requests.
sciyoshi
commented on June 16, 2024
I don't think the Response.raise_for_cert() idea will work, since by the time the Response has been returned to the caller, the HTTP headers will already have been sent (and if it's a MITM attack, that leaks information).
from requests.
kennethreitz
commented on June 16, 2024
from requests.
kennethreitz
commented on June 16, 2024
This just landed in urllib3.
from requests.
kennethreitz
commented on June 16, 2024
I'm planning on bundling a CA bundle. Unfortunately, Mozilla's is GPL.
from requests.
kennethreitz
commented on June 16, 2024
Requests v0.8.8 was just released that includes ssl verification!
http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification
from requests.
kennethreitz
commented on June 16, 2024
v0.9.0 adds this by default. Enjoy.
β¨ π° β¨
from requests.
ojii
commented on June 16, 2024
<3
from requests.
sciyoshi
commented on June 16, 2024
Awesome, thanks!
from requests.
dpwiz
commented on June 16, 2024
Is there a way to provide client certificate (key file + cert file) for authorization purposes?
from requests.
kennethreitz
commented on June 16, 2024
@wlz you can provide any CA Bundle.
from requests.
dpwiz
commented on June 16, 2024
@kennethreitz that is to check server cert against a CA bundle or i'm missing something?
I've found traces of key/cert pair in packages, but not a mention of this in requests itself. Looks like there's some non-obvious way to actually pass client stuff to server as an auth token.
from requests.
cjw296
commented on June 16, 2024
How can I unsubscribe from this issue?!
from requests.
kennethreitz
commented on June 16, 2024
@cjw296: this pretty link: http://cl.ly/2U003k373O1L0b400y08
from requests.
cjw296
commented on June 16, 2024
thanks :-)
from requests.
dpwiz
commented on June 16, 2024
There, i fixed itβ’: https://gist.github.com/1710121
from requests.
Related Issues (20)
- Is feature freeze permanent? HOT 1
- Is feature freeze permanent? HOT 2
- Consider making certifi an optional dependency HOT 1
- Failed to ignore the SSL certificate verification when using `verify=False` option HOT 5
- Support for PKey (openssl) or cryptography Key classes in cert parameter in request (and linked) calls HOT 1
- [AttributeError]: Module 'collections' has no attribute 'MutableMapping' HOT 1
- Error in requests version 2.31.0 with urllib3 2.2.1 and 2.10 raise IncompleteRead(self._fp_bytes_read, self.length_remaining) HOT 2
- pytest.warns(None) is no longer supported HOT 4
- what if someone sets both data and files when making a request? HOT 1
- raise_for_status documentation is out of sync HOT 4
- Issue With Decimals In JSON Handling HOT 3
- Python hangs on import of the package HOT 1
- Upgrade idna to 3.7 for CVE-2024-3651 HOT 1
- not support HTTP2 header HOT 1
- requests.request does not check method parameter HOT 1
- Support usage of PKCS#11 Hardware Security Modules where applicable HOT 1
- Session.verify ignored if REQUEST_CA_BUNDLES is set; behaviour not documented. HOT 4
- Can't access trailers with the Request library HOT 1
- AttributeError: 'NoneType' object has no attribute 'setdefault' on environment proxies HOT 3
- Connection problems HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from requests.