Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python context.verify_mode is ignored by requests module #6254

Open
revit13 opened this issue Oct 6, 2022 · 1 comment
Open

python context.verify_mode is ignored by requests module #6254

revit13 opened this issue Oct 6, 2022 · 1 comment

Comments

@revit13
Copy link

revit13 commented Oct 6, 2022

In the following code the response contains ssl error SSL: CERTIFICATE_VERIFY_FAILED although the default verify_mode ssl.CERT_NONE is set in the context by calling context=create_ssl_context() as hown below. I expected that I to get no ssl error.

It seems that verify_mode in the context is ignored by the requests module. It is not clear to me what attributes from the context are not ignored by the requests module? will it take context.minimum_version? Thanks

Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

def create_ssl_context(verify_mode=ssl.CERT_NONE,
                   key_file=None, cert_file=None,
                   cafile=None,
                   tls_min_version=None):
    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
    context.verify_mode = verify_mode
    if tls_min_version:
        context.minimum_version = tls_min_version
    if key_file or cert_file:
        context.load_cert_chain(cert_file, key_file)
    if cafile:
        context.load_verify_locations(cafile)
    else:
        context.set_default_verify_paths()
    return context

class SSLContextAdapter(requests.adapters.HTTPAdapter):
   def __init__(self, ssl_context=None, **kwargs):
      self.ssl_context = ssl_context
      super().__init__(**kwargs)

   def init_poolmanager(self, *args, **kwargs):
      kwargs['ssl_context'] = self.ssl_context
      return super(SSLContextAdapter, self).init_poolmanager(*args, **kwargs)


def client_side(context, hostname, data, headers):
  s = requests.Session()
  context = create_ssl_context()
  s.mount('https://', SSLContextAdapter(context))
  s.mount('http://', SSLContextAdapter(context))
  print(context.verify_mode)
  response = s.post(hostname, data=data, headers=headers)
  print(response.text)
@eth7
Copy link

eth7 commented Apr 14, 2023

I identified the issue it is that the kwargs argument sends verify as True despite the adapter's verify_mode is is set to None.
The solution was to add a check to disable SSL certificate verification when the adapter's ssl_context.verify_mode is set to ssl.CERT_NONE, by setting the verify parameter to False in the kwargs argument.
Check the following branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eth7 @revit13