主机名与自签名 ssl python3 请求不匹配

Question

我是 python 新手。我已阅读请求模块的文档。我正在使用 python requests 模块验证网站的 crt 文件。我不想使用 /etc/ssl/certs 进行验证，而是想在自定义位置访问它。在我的代码中，crt 文件将放置在自定义位置。 代码将访问该文件并对其进行验证。它适用于各种 https 网站的 crt 文件。但它在自签名 ssl 上失败。在浏览器中，网页(https://192.168.1.27/) 被打开。但它不能通过 python 请求模块访问。 我在代码中添加了路径。它显示匹配错误。 我怎样才能做到这一点。我看到Validate SSL certificate using python 但我无法解决。 这是示例代码：

import requests
certpath = '/home/paulsteven/cert_check/Jeba.crt'
response = requests.get('https://192.168.1.27/', verify = certpath)

我得到的错误：

Traceback (most recent call last):
  File "/home/paulsteven/.local/lib/python3.5/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/home/paulsteven/.local/lib/python3.5/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/home/paulsteven/.local/lib/python3.5/site-packages/urllib3/connectionpool.py", line 839, in _validate_conn
    conn.connect()
  File "/home/paulsteven/.local/lib/python3.5/site-packages/urllib3/connection.py", line 364, in connect
    _match_hostname(cert, self.assert_hostname or server_hostname)
  File "/home/paulsteven/.local/lib/python3.5/site-packages/urllib3/connection.py", line 374, in _match_hostname
    match_hostname(cert, asserted_hostname)
  File "/usr/lib/python3.5/ssl.py", line 301, in match_hostname
    % (hostname, dnsnames[0]))
ssl.CertificateError: hostname '192.168.1.27' doesn't match 'Jeba'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/home/paulsteven/.local/lib/python3.5/site-packages/urllib3/connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/home/paulsteven/.local/lib/python3.5/site-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
requests.packages.urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.1.27', port=443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '192.168.1.27' doesn't match 'Jeba'",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/requests/api.py", line 67, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 480, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 588, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 437, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='192.168.1.27', port=443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '192.168.1.27' doesn't match 'Jeba'",),))

Answer 1

首先，让我们了解错误。 SSL 证书附加了一个特定的主机名，在本例中为 Jaba。在这行代码中：

response = requests.get('https://192.168.1.27/', verify = certpath)

您发送的 HTTP 请求使用 192.168.1.27 作为 host header，而不是 Jaba。因此，目标是向 IP 地址为 192.168.1.27 的服务器发送一个 HTTPS 请求，其 Host 标头为 Jaba。

This utility 应该让您以最小的努力做到这一点。