Urllib and validation of server certificate
21,687
You could create a urllib2 opener which can do the validation for you using a custom handler. The following code is an example that works with Python 2.7.3 . It assumes you have downloaded http://curl.haxx.se/ca/cacert.pem to the same folder where the script is saved.
#!/usr/bin/env python
import urllib2
import httplib
import ssl
import socket
import os
CERT_FILE = os.path.join(os.path.dirname(__file__), 'cacert.pem')
class ValidHTTPSConnection(httplib.HTTPConnection):
"This class allows communication via SSL."
default_port = httplib.HTTPS_PORT
def __init__(self, *args, **kwargs):
httplib.HTTPConnection.__init__(self, *args, **kwargs)
def connect(self):
"Connect to a host on a given (SSL) port."
sock = socket.create_connection((self.host, self.port),
self.timeout, self.source_address)
if self._tunnel_host:
self.sock = sock
self._tunnel()
self.sock = ssl.wrap_socket(sock,
ca_certs=CERT_FILE,
cert_reqs=ssl.CERT_REQUIRED)
class ValidHTTPSHandler(urllib2.HTTPSHandler):
def https_open(self, req):
return self.do_open(ValidHTTPSConnection, req)
opener = urllib2.build_opener(ValidHTTPSHandler)
def test_access(url):
print "Acessing", url
page = opener.open(url)
print page.info()
data = page.read()
print "First 100 bytes:", data[0:100]
print "Done accesing", url
print ""
# This should work
test_access("https://www.google.com")
# Accessing a page with a self signed certificate should not work
# At the time of writing, the following page uses a self signed certificate
test_access("https://tidia.ita.br/")
Running this script you should see something a output like this:
Acessing https://www.google.com
Date: Mon, 14 Jan 2013 14:19:03 GMT
Expires: -1
...
First 100 bytes: <!doctype html><html itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta itemprop
Done accesing https://www.google.com
Acessing https://tidia.ita.br/
Traceback (most recent call last):
File "https_validation.py", line 54, in <module>
test_access("https://tidia.ita.br/")
File "https_validation.py", line 42, in test_access
page = opener.open(url)
...
File "/usr/local/Cellar/python/2.7.3/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1177, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed>
Related videos on Youtube
Author by
kheraud
Programming in Go, Scala, Python, Java, Bash... Focusing mostly on devops approaches and engineering matters.
Updated on July 09, 2022Comments
-
kheraud almost 2 years
I use python 2.6 and request Facebook API (https). I guess my service could be target of Man In The Middle attacks. I discovered this morning reading again urllib module documentation that : Citation:
Warning : When opening HTTPS URLs, it is not attempted to validate the server certificate. Use at your own risk!
Do you have hints / url / examples to complete a full certificate validation ?
Thanks for your help
-
Bruno almost 13 yearsYou may be interested in this question: stackoverflow.com/questions/6167148/…
-
-
Chris over 12 yearsYou are checking a list of CAs from curl.haxx.se/ca/cacert.pem with this code. That connection is not over ssl so someone could do man in the middle on that site to publish their own root CAs relative to this code and sign their own cert for facebook or whatever site you are trying to validate
-
Chris over 12 yearsAfter thinking about it ever so slightly more, you can not remotely retrieve a CA list, you must provide a local store. Even if you used digicert.com/testroot/DigiCertGlobalRootCA.crt (over ssl) how would you validate this?
-
jwhitlock over 11 yearsAll valid points. This code downloads a cert file from the internet if it isn't available locally. If you have a browser installed on your server (I usually don't), you can use the browser's certificate file, once you find it on your file system. Of course, unless you drive down to Mountain View, you are probably downloading your browser over the internet as well. You have to trust someone, at some point.
-
SpamapS about 11 yearsYou can trust your OS vendor, such as Ubuntu. Their isos are signed via GPG key which is well known and inserted into a web of trust, one that you can easily verify by going to a local Ubuntu Loco event and meeting people who have signed said key. From Ubuntu, you get a well maintained list of known trustworthy CA certs.
-
SpamapS about 11 yearsFurthermore, this does two separate connections to verify the cert. A clever MITM will pass the first one through, and then MITM the second one.
-
pictuga over 10 yearsthe
def __init__(self, *args, **kwargs): httplib.HTTPConnection.__init__(self, *args, **kwargs)
thing seems useless to me -
Greg Schmit over 6 yearsIn your list of dangers, you should note explicitly that a MITM attack is possible on the retrieval of the certificates, as Chris noted. This is very important to have in the answer, and not as a comment. All you did is mention that you have to trust cURL, but that isn't the core issue.
-
jwhitlock over 6 yearsAdded the MITM note to the dangers. Also split out the
get_ca_path
function so it is clearer what should be customized.