如何在Python请求中禁用安全证书检查
我正在使用
import requests
requests.post(url='https://foo.example', data={'bar':'baz'})
但是我遇到了一个请求错误,提示SSLError。这个网站的证书已经过期了,但我并不发送任何敏感数据,所以对我来说没关系。我想应该有一个类似'verify=False'的参数可以使用,但我找不到。
13 个回答
75
在补充一下Blender的回答,你可以通过设置 Session.verify = False 来关闭所有请求的SSL证书验证。
import requests
session = requests.Session()
session.verify = False
session.post(url='https://example.com', data={'bar':'baz'})
需要注意的是,urllib3(这是Requests库使用的)强烈不建议进行未验证的HTTPS请求,并且会抛出一个 InsecureRequestWarning 的警告。
198
使用 requests.packages.urllib3.disable_warnings() 和在 requests 方法中设置 verify=False。
import requests
from urllib3.exceptions import InsecureRequestWarning
# Suppress only the single warning from urllib3 needed.
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# Set `verify=False` on `requests.post`.
requests.post(url='https://example.com', data={'bar':'baz'}, verify=False)
865
来自文档的内容:
requests库可以通过将verify设置为False来忽略SSL证书的验证。>>> requests.get('https://kennethreitz.com', verify=False) <Response [200]>
如果你在使用一个第三方模块,并且想要关闭这些检查,这里有一个上下文管理器,它会修改requests,让verify=False成为默认设置,并且不会显示警告。
import warnings
import contextlib
import requests
from urllib3.exceptions import InsecureRequestWarning
old_merge_environment_settings = requests.Session.merge_environment_settings
@contextlib.contextmanager
def no_ssl_verification():
opened_adapters = set()
def merge_environment_settings(self, url, proxies, stream, verify, cert):
# Verification happens only once per connection so we need to close
# all the opened adapters once we're done. Otherwise, the effects of
# verify=False persist beyond the end of this context manager.
opened_adapters.add(self.get_adapter(url))
settings = old_merge_environment_settings(self, url, proxies, stream, verify, cert)
settings['verify'] = False
return settings
requests.Session.merge_environment_settings = merge_environment_settings
try:
with warnings.catch_warnings():
warnings.simplefilter('ignore', InsecureRequestWarning)
yield
finally:
requests.Session.merge_environment_settings = old_merge_environment_settings
for adapter in opened_adapters:
try:
adapter.close()
except:
pass
使用方法如下:
with no_ssl_verification():
requests.get('https://wrong.host.badssl.example/')
print('It works')
requests.get('https://wrong.host.badssl.example/', verify=True)
print('Even if you try to force it to')
requests.get('https://wrong.host.badssl.example/', verify=False)
print('It resets back')
session = requests.Session()
session.verify = True
with no_ssl_verification():
session.get('https://wrong.host.badssl.example/', verify=True)
print('Works even here')
try:
requests.get('https://wrong.host.badssl.example/')
except requests.exceptions.SSLError:
print('It breaks')
try:
session.get('https://wrong.host.badssl.example/')
except requests.exceptions.SSLError:
print('It breaks here again')
请注意,当你离开这个上下文管理器时,这段代码会关闭所有处理过的请求的适配器。这是因为requests会为每个会话维护一个连接池,而证书验证只会在每个连接中进行一次,所以可能会出现一些意想不到的情况:
>>> import requests
>>> session = requests.Session()
>>> session.get('https://wrong.host.badssl.example/', verify=False)
/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
<Response [200]>
>>> session.get('https://wrong.host.badssl.example/', verify=True)
/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
<Response [200]>