Urllib and validation of server certificate

python ssl ssl-certificate urllib

21,687

You could create a urllib2 opener which can do the validation for you using a custom handler. The following code is an example that works with Python 2.7.3 . It assumes you have downloaded http://curl.haxx.se/ca/cacert.pem to the same folder where the script is saved.

#!/usr/bin/env python
import urllib2
import httplib
import ssl
import socket
import os

CERT_FILE = os.path.join(os.path.dirname(__file__), 'cacert.pem')


class ValidHTTPSConnection(httplib.HTTPConnection):
        "This class allows communication via SSL."

        default_port = httplib.HTTPS_PORT

        def __init__(self, *args, **kwargs):
            httplib.HTTPConnection.__init__(self, *args, **kwargs)

        def connect(self):
            "Connect to a host on a given (SSL) port."

            sock = socket.create_connection((self.host, self.port),
                                            self.timeout, self.source_address)
            if self._tunnel_host:
                self.sock = sock
                self._tunnel()
            self.sock = ssl.wrap_socket(sock,
                                        ca_certs=CERT_FILE,
                                        cert_reqs=ssl.CERT_REQUIRED)


class ValidHTTPSHandler(urllib2.HTTPSHandler):

    def https_open(self, req):
            return self.do_open(ValidHTTPSConnection, req)

opener = urllib2.build_opener(ValidHTTPSHandler)


def test_access(url):
    print "Acessing", url
    page = opener.open(url)
    print page.info()
    data = page.read()
    print "First 100 bytes:", data[0:100]
    print "Done accesing", url
    print ""

# This should work
test_access("https://www.google.com")

# Accessing a page with a self signed certificate should not work
# At the time of writing, the following page uses a self signed certificate
test_access("https://tidia.ita.br/")

Running this script you should see something a output like this:

Acessing https://www.google.com
Date: Mon, 14 Jan 2013 14:19:03 GMT
Expires: -1
...

First 100 bytes: <!doctype html><html itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta itemprop
Done accesing https://www.google.com

Acessing https://tidia.ita.br/
Traceback (most recent call last):
  File "https_validation.py", line 54, in <module>
    test_access("https://tidia.ita.br/")
  File "https_validation.py", line 42, in test_access
    page = opener.open(url)
  ...
  File "/usr/local/Cellar/python/2.7.3/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1177, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed>

21,687

kheraud

Programming in Go, Scala, Python, Java, Bash... Focusing mostly on devops approaches and engineering matters.

Updated on July 09, 2022

Comments

kheraud almost 2 years
I use python 2.6 and request Facebook API (https). I guess my service could be target of Man In The Middle attacks. I discovered this morning reading again urllib module documentation that : Citation:
```
Warning : When opening HTTPS URLs, it is not attempted to validate the server certificate. Use at your own risk!
```
Do you have hints / url / examples to complete a full certificate validation ?

Thanks for your help
- Bruno almost 13 years
  
  You may be interested in this question: stackoverflow.com/questions/6167148/…
Chris over 12 years

You are checking a list of CAs from curl.haxx.se/ca/cacert.pem with this code. That connection is not over ssl so someone could do man in the middle on that site to publish their own root CAs relative to this code and sign their own cert for facebook or whatever site you are trying to validate
Chris over 12 years

After thinking about it ever so slightly more, you can not remotely retrieve a CA list, you must provide a local store. Even if you used digicert.com/testroot/DigiCertGlobalRootCA.crt (over ssl) how would you validate this?
jwhitlock over 11 years

All valid points. This code downloads a cert file from the internet if it isn't available locally. If you have a browser installed on your server (I usually don't), you can use the browser's certificate file, once you find it on your file system. Of course, unless you drive down to Mountain View, you are probably downloading your browser over the internet as well. You have to trust someone, at some point.
SpamapS about 11 years

You can trust your OS vendor, such as Ubuntu. Their isos are signed via GPG key which is well known and inserted into a web of trust, one that you can easily verify by going to a local Ubuntu Loco event and meeting people who have signed said key. From Ubuntu, you get a well maintained list of known trustworthy CA certs.
SpamapS about 11 years

Furthermore, this does two separate connections to verify the cert. A clever MITM will pass the first one through, and then MITM the second one.
pictuga over 10 years

the def __init__(self, *args, **kwargs): httplib.HTTPConnection.__init__(self, *args, **kwargs) thing seems useless to me
Greg Schmit over 6 years

In your list of dangers, you should note explicitly that a MITM attack is possible on the retrieval of the certificates, as Chris noted. This is very important to have in the answer, and not as a comment. All you did is mention that you have to trust cURL, but that isn't the core issue.
jwhitlock over 6 years

Added the MITM note to the dangers. Also split out the get_ca_path function so it is clearer what should be customized.