search

m-click / requests_pkcs12

Add PKCS#12 support to the Python requests library in a clean way, without monkey patching or temporary files
ISC License
124 stars 33 forks source link

requests.exceptions.SSLError with tls_process_server_certificate, certificate verify failed for valid p12 #16

Closed halilduygulu closed 4 years ago

halilduygulu commented 4 years ago

Hi, thanks for the library, i was struggling to make p12 file with requests. I also have pem and cer files too but could not make it work yet.

Like expected I entered p12 path and password, verified they are used by giving wrong values etc. I thing i am getting error from server side that certificate is not accepted, but I am using soap-ui with this p12 file and same password and it just works from same laptop.

can you think a reason why it is not working, I checked it is tls 1.2 not 1.3 also. Checked closed issues but could not find related info.

code is very simple

from requests_pkcs12 import get r = get('https://wssoap.services.xxxxxx.com/xxxxxx?wsdl', pkcs12_filename='/project_folder/certs/xxxxx.p12', pkcs12_password='xxxxxx')

Traceback (most recent call last): File "/project_folder/functions/list-trames/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket cnx.do_handshake() File "/project_folder/functions/list-trames/OpenSSL/SSL.py", line 1934, in do_handshake self._raise_ssl_error(self._ssl, result) File "/project_folder/functions/list-trames/OpenSSL/SSL.py", line 1671, in _raise_ssl_error _raise_current_error() File "/project_folder/functions/list-trames/OpenSSL/_util.py", line 54, in exception_from_error_queue raise exception_type(errors) OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

halilduygulu commented 4 years ago

okay, I want to write here how to bypass this error, maybe other people coming from google can find helpful.

mount this for everything, I was only using company domain. Then use verify=False in get. It does not work when I delete verify. I know it is not a good thing.

session.mount('https://',

from zeep import Client from zeep.wsse.username import UsernameToken from zeep.transports import Transport from requests_pkcs12 import get from requests import Session session = Session() from requests_pkcs12 import Pkcs12Adapter session.mount('https://', Pkcs12Adapter(pkcs12_filename='/project_folder/certs/xxxxx.p12', pkcs12_password='xxxx')) r = session.get('https://xxx.com/xxxx?wsdl', verify=False) transport = Transport(session=session) user_name_token = UsernameToken('xxxx', 'xxxx') client = Client('https://xxxxxx.com/xxxx?wsdl', wsse=[user_name_token], transport=transport)

When I delete unused r= session.get it is failing. I guess after first time handshake is cached in some way. so it is literally workaround.

so strange stuff, sometimes I really miss java.

deajan commented 4 years ago

You actually need the CA cert file which you pass to the verify parameter of the request, eg:

from requests_pkcs12 import get
r = get('https://wssoap.services.xxxxxx.com/xxxxxx?wsdl',
pkcs12_filename='/project_folder/certs/xxxxx.p12', pkcs12_password='xxxxxx', verify='/project_folder/certs/CA.crt')
vog commented 4 years ago

Please note that this is also stated in the README:

In particular, do use the "verify" parameter to verify the server-side certificate.

Should it be placed at a more prominent position?

vog commented 4 years ago

Closing this issue, as we received no further feedback.