pythonsslpython-3.xhttpsurllib

Verifying HTTPS certificates with urllib.request


I am trying to open an https URL using the urlopen method in Python 3's urllib.request module. It seems to work fine, but the documentation warns that "[i]f neither cafile nor capath is specified, an HTTPS request will not do any verification of the server’s certificate".

I am guessing I need to specify one of those parameters if I don't want my program to be vulnerable to man-in-the-middle attacks, problems with revoked certificates, and other vulnerabilities.

cafile and capath are supposed to point to a list of certificates. Where am I supposed to get this list from? Is there any simple and cross-platform way to use the same list of certificates that my OS or browser uses?


Solution

  • I found a library that does what I'm trying to do: Certifi. It can be installed by running pip install certifi from the command line.

    Making requests and verifying them is now easy:

    import certifi
    import urllib.request
    
    urllib.request.urlopen("https://example.com/", cafile=certifi.where())
    

    As I expected, this returns a HTTPResponse object for a site with a valid certificate and raises a ssl.CertificateError exception for a site with an invalid certificate.