Python的請求拋出SSL錯誤

Question

這是一個後續到SSLError using requests for python：

我剛纔在Mac OSX 10.8.5安裝requests。我在做requests.get第一次嘗試失敗失蹤證書：

SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

• 以上的線程說找/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/re‌​quests/cacert.pem但實際上我甚至不具有.../site-packages/requests目錄。如果這應該已經被安裝（我用pip）

• 而且線程添加和requests文檔說要安裝certifi，所以我也很我不清楚。但現在我得到一個不同的錯誤：

  python -c 'import requests; requests.get("https://api.github.com/events")' /usr/lib/anaconda/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. 
      InsecurePlatformWarning 
  Traceback (most recent call last): 
  ... 
      File "/usr/lib/anaconda/lib/python2.7/site-packages/requests/adapters.py", line 431, in send 
      raise SSLError(e, request=request) 
  requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm 
  

謝謝！

Answer 1

請注意，您正在使用HTTPS。正如Requests manual

To check a host’s SSL certificate, you can use the verify argument [...] By default, verify is set to True

這裏提到的一些方法來解決這個問題：

更新OpenSSL的（可能會解決你的問題）從here兩者

：

If you encounter one of the following errors:

error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm 
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm 
The software you are using might be compiled with a version too old of OpenSSL that does not take certificates signed with sha256WithRSAEncryption into account. 

It requires at least OpenSSL 0.9.8o for a total management of SHA256. OpenSSl 0.9.7m only assures a partial management, for server mode only.

檢查openssl版本

openssl version 
OpenSSL 1.0.1k-fips 8 Jan 2015 

如果您有OpenSSL0.9.8o一個較小的版本，你需要更新它的版本（OS X）：

brew update 
brew install openssl 
brew link --force openssl 

如果還是不行，請嘗試以下方法：

brew uninstall openssl 
rm -rf /usr/local/openssl 
brew install openssl 

• openssl之前安裝OS X 10.10.3並重新安裝它修復它
• 這些命令行將卸載openssl，從硬盤中刪除的文件夾，並重新安裝（更新版）

安裝certifi

從here

By default Requests bundles a set of root CAs that it trusts, sourced from the Mozilla trust store. However, these are only updated once for each Requests version. This means that if you pin a Requests version your certificates can become extremely out of date.

From Requests version 2.4.0 onwards, Requests will attempt to use certificates from certifi if it is present on the system. This allows for users to update their trusted certificates without having to change the code that runs on their system.

For the sake of security we recommend upgrading certifi frequently!

換句話說採取嘗試安裝certifi，如果您有Request 2.4.0或更新：

pip install certifi 

希望這會解決這個問題。

使用不同版本的OpenSSL和要求

尋找到它使用谷歌，我發現有在Python 2與OpenSSL的一個問題：

• https://github.com/docker/docker-py/issues/465#issuecomment-76520363
• https://github.com/Homebrew/homebrew/issues/38226
• https://github.com/docker/compose/issues/1484

但是，我正在使用Python 2.7.6,Requests 2.2.1和OpenSSL 1.0.1f 6 Jan 2014，並且一切運行正常。

合格證書

在其他情況下，你可能需要告訴requests.get路徑證書文件，如果主機的證書是由您簽字。

requests.get("https://api.github.com/events", verify=True, cert=['/path/to/my/ca.crt']) 

設置校驗參數爲False（不推薦！）

如果你想避免證書驗證，你必須通過verify=False到request.get方法。

python -c 'import requests; requests.get("https://api.github.com/events", verify=False)' 

或script.py文件：

import requests 
res = requests.get("https://api.github.com/events", verify=False) 
print res 

終端：

$ python script.py 
<Response [200]> 

重要：非常糟糕的主意;您可能受到MITM攻擊，這是一個嚴重的安全漏洞。