【发布时间】:2020-04-24 14:00:43
【问题描述】:
这可能是一个比 python 更多的安全问题,但我们开始吧。
我想通过以下网址从 Web 服务获取数据:https://x.x.x.x/serviceWS/server.php?wsdl。他们向我发送了密钥、CRT 和 PEM 文件,但我无法使其工作:到目前为止,我有以下代码:
import requests
crt = '/path/to/crt'
key = '/path/to/key'
pem = '/path/to/pem'
body = '<soap>...</soap>'
res = requests.get(ws, cert=(crt, key), verify=pem)
它给了我这个错误:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='x.x.x.x', port=443): Max retries exceeded with url: /serviceWS/server.php?wsdl (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3/dist-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='x.x.x.x', port=443): Max retries exceeded with url: /serviceWS/server.php?wsdl (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
我的猜测是因为证书适用于如下域:'*.remotework.com.pe',而我正在尝试连接到 IP。如果这是问题所在,代码将永远无法工作,直到他们放置正确的域,对吧?
任何帮助都会很好!
【问题讨论】:
-
只是为了确保证书确实有效(这不是因为您获得了错误的证书),您是否尝试过使用 SoapUI 之类的工具测试服务?这种软件可以在测试服务的同时轻松消除代码的不确定性因素。
-
"当我尝试连接到一个 ip 时。"您总是在最后连接到 IP,但您确实需要将名称传递给为您连接的库,因为确实任何体面的库都必须将给出的主机名与证书中的内容进行比较(否则服务器证书是毫无意义的)。
-
@PatrickMevzek 这是找到解决方案的关键。我必须将目标 ip 添加到 /etc/host 文件中,一切正常!谢谢!
-
请将您的解决方案添加为下面的答案,然后对其进行验证,以便您的问题将被关闭,并且人们将来可以从您的发现中受益。
标签: python ssl python-requests pem