Urllib和服务器证书的验证
Urllib和服务器证书的验证
提问于 2011-07-11 10:46:22
我使用python 2.6并请求Facebook API (https)。我猜我的服务可以成为中间人攻击的目标。今天早上我再次阅读urllib模块文档时发现:引用:
Warning : When opening HTTPS URLs, it is not attempted to validate the server certificate. Use at your own risk!您是否有完成完整证书验证的提示/ url / examples?
谢谢你的帮忙
回答 2
Stack Overflow用户
回答已采纳
发布于 2013-01-14 14:20:50
您可以创建一个urllib2打开程序,它可以使用自定义处理程序为您执行验证。下面的代码是一个使用Python 2.7.3的示例。它假定您已将http://curl.haxx.se/ca/cacert.pem下载到保存脚本的同一文件夹中。
#!/usr/bin/env python
import urllib2
import httplib
import ssl
import socket
import os
CERT_FILE = os.path.join(os.path.dirname(__file__), 'cacert.pem')
class ValidHTTPSConnection(httplib.HTTPConnection):
"This class allows communication via SSL."
default_port = httplib.HTTPS_PORT
def __init__(self, *args, **kwargs):
httplib.HTTPConnection.__init__(self, *args, **kwargs)
def connect(self):
"Connect to a host on a given (SSL) port."
sock = socket.create_connection((self.host, self.port),
self.timeout, self.source_address)
if self._tunnel_host:
self.sock = sock
self._tunnel()
self.sock = ssl.wrap_socket(sock,
ca_certs=CERT_FILE,
cert_reqs=ssl.CERT_REQUIRED)
class ValidHTTPSHandler(urllib2.HTTPSHandler):
def https_open(self, req):
return self.do_open(ValidHTTPSConnection, req)
opener = urllib2.build_opener(ValidHTTPSHandler)
def test_access(url):
print "Acessing", url
page = opener.open(url)
print page.info()
data = page.read()
print "First 100 bytes:", data[0:100]
print "Done accesing", url
print ""
# This should work
test_access("https://www.google.com")
# Accessing a page with a self signed certificate should not work
# At the time of writing, the following page uses a self signed certificate
test_access("https://tidia.ita.br/")运行此脚本,您应该会看到如下所示的输出:
Acessing https://www.google.com
Date: Mon, 14 Jan 2013 14:19:03 GMT
Expires: -1
...
First 100 bytes: <!doctype html><html itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta itemprop
Done accesing https://www.google.com
Acessing https://tidia.ita.br/
Traceback (most recent call last):
File "https_validation.py", line 54, in <module>
test_access("https://tidia.ita.br/")
File "https_validation.py", line 42, in test_access
page = opener.open(url)
...
File "/usr/local/Cellar/python/2.7.3/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1177, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed>Stack Overflow用户
发布于 2011-08-10 22:34:41
如果您有一个受信任的证书颁发机构(CA)文件,则可以使用Python2.6和更高版本的ssl库来验证证书。下面是一些代码:
import os.path
import ssl
import sys
import urlparse
import urllib
def get_ca_path():
'''Download the Mozilla CA file cached by the cURL project.
If you have a trusted CA file from your OS, return the path
to that instead.
'''
cafile_local = 'cacert.pem'
cafile_remote = 'http://curl.haxx.se/ca/cacert.pem'
if not os.path.isfile(cafile_local):
print >> sys.stderr, "Downloading %s from %s" % (
cafile_local, cafile_remote)
urllib.urlretrieve(cafile_remote, cafile_local)
return cafile_local
def check_ssl(hostname, port=443):
'''Check that an SSL certificate is valid.'''
print >> sys.stderr, "Validating SSL cert at %s:%d" % (
hostname, port)
cafile_local = get_ca_path()
try:
server_cert = ssl.get_server_certificate((hostname, port),
ca_certs=cafile_local)
except ssl.SSLError:
print >> sys.stderr, "SSL cert at %s:%d is invalid!" % (
hostname, port)
raise
class CheckedSSLUrlOpener(urllib.FancyURLopener):
'''A URL opener that checks that SSL certificates are valid
On SSL error, it will raise ssl.
'''
def open(self, fullurl, data = None):
urlbits = urlparse.urlparse(fullurl)
if urlbits.scheme == 'https':
if ':' in urlbits.netloc:
hostname, port = urlbits.netloc.split(':')
else:
hostname = urlbits.netloc
if urlbits.port is None:
port = 443
else:
port = urlbits.port
check_ssl(hostname, port)
return urllib.FancyURLopener.open(self, fullurl, data)
# Plain usage - can probably do once per day
check_ssl('www.facebook.com')
# URL Opener
opener = CheckedSSLUrlOpener()
opener.open('https://www.facebook.com/find-friends/browser/')
# Make it the default
urllib._urlopener = opener
urllib.urlopen('https://www.facebook.com/find-friends/browser/')这段代码有一些危险:
- 您必须信任cURL项目(http://curl.haxx.se/ca/cacert.pem)中的CA文件,它是Mozilla的CA文件的缓存版本。它也是基于HTTP的,因此存在潜在的MITM攻击。最好用返回本地CA文件的文件替换
get_ca_path。 - 不会尝试查看CA文件是否已更新。最终,根证书将过期或被停用,并将添加新证书。一个好主意是使用cron作业来删除缓存的CA文件,这样每天都会下载一个新的文件。
- 每次检查证书可能都有点过分了。您可以在每次运行时手动检查一次,或者在运行过程中保留一个“已知良好”主机的列表。或者,疑神疑鬼!
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/6648952
复制相关文章
相似问题
python小数四舍五入问题
Python大小数四舍五入问题
小数四舍五入的问题
MySQL小数四舍五入问题
KendoNumericTextBox小数四舍五入问题
添加站长 进交流群
领取专属 10元无门槛券
AI混元助手 在线答疑
关注 腾讯云开发者公众号
洞察 腾讯核心技术
剖析业界实践案例
腾讯云开发者
