多年以来,我已经在几乎所有项目中都使用了python request框架,而且还没有遇到这样的问题。
据我所知,这仅发生在网站 www.pagedna.com 上。要重现的代码示例非常简单
import requests
requests.get("https://www.pagedna.com")
Chrome / Firefox浏览器可以打开该网站,没问题,但是上面的代码段为我提供了通用的SSL失败异常
Traceback (most recent call last):
File "inline.py", line 2, in <module>
requests.get("https://www.pagedna.com")
File "/home/rishi/workspace/misc/venvs/mc3.4/lib/python3.4/site-packages/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/home/rishi/workspace/misc/venvs/mc3.4/lib/python3.4/site-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/home/rishi/workspace/misc/venvs/mc3.4/lib/python3.4/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/home/rishi/workspace/misc/venvs/mc3.4/lib/python3.4/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/home/rishi/workspace/misc/venvs/mc3.4/lib/python3.4/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='www.pagedna.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
如果我使用servername参数,OpenSSL将为我提供正确的信息
openssl s_client -showcerts -servername www.pagedna.com -connect www.pagedna.com:443
CONNECTED(00000003)
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.pagedna.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIGrjCCBZagAwIBAgIJAJdLy96ULpdIMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MDcyNzE4MzUyMloX
DTIwMDkyNTE3MTExMVowOzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRYwFAYDVQQDDA0qLnBhZ2VkbmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAt6B/jE5FjTKWdEtNj8oRxzqlk5fGjBfYbsKjdPuSi0t6i0a8
lN9yVYLhLM988s3XXvcU8E9d30aQ51JDjxtkID9VP4z4x8E/fWjGpJZ/Nh1XMrSf
rmIZEXr+SZzUBp2dISIJKgmNNr3vVWS4BmViL7YXxvgZzGiZwQRACkoFdfGkkGcT
h1WOPIYf7nzxyasLvddSN5j6BU4XgiTpdlJSWofXFdMJBFfHoTyLUiH+stMzE4wU
gA+oxKzRqhDHJ+L393i2mv4y2FXiQ0InTqyKRGGuX8zmoPirHCRAmMItk9gmUoi+
/3nDVnUlIG6LOgcXylVbn22W5WXN4iwtZ8TCVwIDAQABo4IDOTCCAzUwDAYDVR0T
AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/
BAQDAgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRkeS5jb20v
Z2RpZzJzMS04NTIuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3Bggr
etc...
但是,如果缺少-servername选项,它将为我提供不同的证书,我怀疑这是这里的问题。
相关的pip安装如下
pyOpenSSL==19.0.0
requests==2.21.0
requests-toolbelt==0.8.0
使用 python3.4
这是一个请求框架错误吗?我应该打开错误报告还是遗漏某些东西?
答案 0 :(得分:0)
...但是上面的代码段给了我通用的SSL失败异常...
...'tls_process_server_certificate', 'certificate verify failed')],)",),))
实际上,这不是一般的SSL故障。显然失败,因为它无法验证证书。原因不是SNI与非SNI,因为默认情况下长时间在请求中使用SNI。
原因是服务器配置错误。来自SSLLabs report:
此服务器的证书链不完整。等级上限为B。
Chrome / Firefox浏览器打开此网站,没问题...
桌面浏览器通常可以成功解决这种常见的错误配置,例如,通过缓存其他连接的中间证书,并使用这些证书来填充证书链中丢失的部分。但是,例如,如果尝试使用带有新配置文件的Firefox,则会遇到相同的SSL问题。