使用有效的证书文件(cert_file,key_file)调用httplib.HTTPSConnection会产生此错误,但是当我使用SSLContext参数调用httplib.HTTPSConnection时,验证是正确的。
可能是什么问题/区别?
Python 2.7.5 (default, May 3 2017, 07:55:04)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import httplib
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.1e-fips 11 Feb 2013'
>>> h = httplib.HTTPSConnection('valid.host.name', 1111, 'server.pem',
'server.pem')
>>> h.connect()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/httplib.py", line 1237, in connect
server_hostname=sni_hostname)
File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
_context=self)
File "/usr/lib64/python2.7/ssl.py", line 612, in __init__
self.do_handshake()
File "/usr/lib64/python2.7/ssl.py", line 834, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:579)
>>>
>>> PROTOCOL = ssl.PROTOCOL_SSLv23
>>> context = ssl.SSLContext(PROTOCOL)
>>> context.load_default_certs()
>>> clientCert = 'server.pem'
>>> clientKey = 'server.pem'
>>> context.load_cert_chain(clientCert, clientKey)
>>> h = httplib.HTTPSConnection('valid.host.name', 1111, context=context)
>>> h.connect()
>>>
使用key_file查看深度HTTPSConnection类中的ssl.py和httplib.py,cert_file参数调用与上面相同的方法(load_default_certs,load_cert_chain)。
server.pem是一个自签名的x509证书。