本文介绍了故障排除“ssl 证书验证失败"错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在 Windows Vista SP2 + Python 2.7.10 上,我可以连接到 https://www.python.org,但不是 https://codereview.appspot.com

On Windows Vista SP2 + Python 2.7.10 I can connect to https://www.python.org, but not to https://codereview.appspot.com

脚本:

HOST1 = 'https://www.python.org'
HOST2 = 'https://codereview.appspot.com'

import urllib2
print HOST1
urllib2.urlopen(HOST1)
print HOST2
urllib2.urlopen(HOST2)

和输出:

E:\>py test.py
https://www.python.org
https://codereview.appspot.com
Traceback (most recent call last):
  File "test.py", line 9, in <module>
    urllib2.urlopen(HOST2)
  File "C:\Python27\lib\urllib2.py", line 158, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Python27\lib\urllib2.py", line 435, in open
    response = self._open(req, data)
  File "C:\Python27\lib\urllib2.py", line 453, in _open
    '_open', req)
  File "C:\Python27\lib\urllib2.py", line 413, in _call_chain
    result = func(*args)
  File "C:\Python27\lib\urllib2.py", line 1244, in https_open
    context=self._context)
  File "C:\Python27\lib\urllib2.py", line 1201, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

我该如何进行故障排除,https://codereview.appspot.com/ 到底有什么问题?

How can I troubleshoot, what exactly is wrong with https://codereview.appspot.com/ ?

推荐答案

我的猜测是与 OpenSSL 中的替代链处理有关,详细描述见 Python Urllib2 SSL 错误.尽管 Python 使用 windows CA 存储来获取受信任的根证书,但信任链本身的验证是在 OpenSSL 中完成的.

My guess is that it is related to the alternative chain handling in OpenSSL, as described in detail in Python Urllib2 SSL error. Although Python uses the windows CA store to get the trusted root certificates the validation of the trust chain itself is done within OpenSSL.

根据 "Python 2.7.10 发布" Windows 上的 Python 2.7.10 包括 OpenSSL 1.0.2a,但有关替代链的修复仅在 1.0.2b 中完成(并且必须在之后快速修复,因为它们包含严重的安全错误).

According to "Python 2.7.10 Released" Python 2.7.10 on Windows includes OpenSSL 1.0.2a but the fixes regarding alternative chains were done in 1.0.2b only (and had to be fixed fast afterwards because they contained a serious security bug).

如果您查看 codereview.appspot.com 的 SSLLabs 报告您可以看到有多个信任链可能会导致问题.与此相反 python.org 只有一个信任链.

If you look at the SSLLabs report for codereview.appspot.com you can see that there are multiple trust chains which probably causes the problem. Contrary to that python.org only has a single trust chain.

要解决此问题,可能需要使用您自己的根 CA 存储,该存储必须包含/C=US/O=Equifax/OU=Equifax 安全证书颁发机构"的证书才能正确验证 codereview.appspot.com.可以在此处找到证书,您可以使用cafile 参数urllib2.urlopen.

To work around the problem it might be necessary to use your own root CA store which must contain the certificate for "/C=US/O=Equifax/OU=Equifax Secure Certificate Authority" to verify codereview.appspot.com correctly. The certificate can be found here and you can give it with the cafile parameter to urllib2.urlopen.

这篇关于故障排除“ssl 证书验证失败"错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-06 12:52